This hooking technique have described in the following blog post https://www.oguzkartal.net/blog/index.php/2019/08/26/intercepting-the-windows-10-system-service-call-using-the-weakness-caused-by-the-dynamic-trace-support/