Correct me if I'm wrong, but ntdll isn't magic. An attacker could just use raw syscall machine code, although they would need to pay close attention to the OS version.
The goal to my madness was producing a binary without interrupts in any region of executable memory. Assuming W^X protection holds that should be pretty airtight. I was also assuming I controlled the compiler