KProcessHacker.sys is blocked, because it is subverting Windows security model. It allows user mode caller (through kprocesshackers internal IOCTLs) to open processes/threads as kernel mode requester, basically bypassing standard AV filtering techniques which depends on object manager callback registration (ObRegisterCallbacks). Resulting kernel handle is returned to user mode and can be used to modify target thread/process (operations like suspend/terminate, modification of virtual memory etc.), This functionality can be easily reused by 3rd party attackers.