It is, of course, only a matter of time - just like kernel-level copy protection and Sony's XCP - before something like Vanguard in particular is exploited and abused by malware.

Himata is correct, too. After DMA-based stuff, it'll be CPU debugging mode exploits like DCI-OOB, some of which can be made detectable in kernel mode; or, stealthier hypervisors.