The first thing I would try is a bit hacky but might work. I'd take a copy of the data structures you are analysing when looking for malware and then copy it back to the original place just before you call the normal windows function.
It would minimise the amount of time the malware had to get the data in.
What you really need is to move the data into kernel space somehow. That would need a tweak to windows though.
The difficulty for the attacker comes in creating the initial attacker and faker threads. Possibly AV can hook the creation of threads and examine new threads for this potential behaviour (this might kill heavily threaded apps though). Then the virus make would have to attack two separate threads.
