Here is the elegant part. Using VirtualProtect (or NtProtectVirtualMemory to avoid userland hooks), Passathook changes the text section of the primary ntdll to RWX (Read-Write-Execute) for exactly 4 microseconds. It then executes a rep movsb to copy the first 32-128 bytes (the hook trampoline area) from the clean map to the live map. It reverts permissions to RX .