>>8
Those nops are not reliably there, they're just compiler generated alignment for modules built in
Release mode. If the executable were built in
Debug mode, then you'd have int3's there (or 0xCC filler) as alignment.
Your point about patching the 2 byte mov edi,edi instruction as a short jump is valid, but in practice, most third party hook libs just patch the mov edi,edi/push ebp/mov ebp,esp (and create a trampouline). There are a lot of ways to ensure that the EIP is not on the push ebp/mov ebp,esp instruction such as cleverly using page protection + exception handler or just pausing all threads and checking their context.