https://www.securelist.com/en/analysis/204792235/XPAJ_Reversing_a_Windows_x64_Bootkit
XPAJ: Reversing a Windows x64 Bootkit
(such as rootkits or ransomware Trojans). Malware writers are not above analyzing their competitors’ malicious code.
It is not easy to impress a malware expert with a new bootkit nowadays: boot-record infections have been studied sufficiently in-depth and plenty of information on the subject can be found online. However, this time we have come across an interesting specimen: the Xpaj file infector, complete with bootkit functionality and able to run both under Windows x86 and Windows x64. What makes it stand out is that it successfully runs on Windows x64 with PatchGuard enabled, using splicing in the kernel to protect the infected boot record from being read or modified.
the Xpaj file infector does not infect 64-bit executable modules, including kernel-mode drivers, i.e. the virus infects only 32-bit executables (.exe and .dll);
What about PatchGuard?
Any protection tool can be hacked or bypassed one way or another. PatchGuard is no exception.