This is a great writeup, thanks for posting it. The post mentions Early Bird APC is a fairly recent development, around 2018, but process injection has been around for a long time. Is there any theoretical work being done towards locking down processes against injection in more robust ways than simply making sure there is no temporal chance to inject a malicious code? I’m thinking something along the lines of CFI, but for processes instead of subroutines, would be useful if it could be made to work.