simple method.

__int64 NtCompareSigningLevels() { int v0; // eax

v0 = 0; if ( function_pointer ) v0 = ((__int64 (*)(void))function_pointer)(); return v0 == 0 ? 0xC0000428 : 0; }

this loads a qword into r9 from a var.

we use pdfwkrnl's memcpy vulnerable function to swap this pointer to our kernel function.