This is a great writeup, thanks for posting it. The post mentions Early Bird APC is a fairly recent development, around 2018, but process injection has been around for a long time. Is there any theoretical work being done towards locking down processes against injection in more robust ways than simply making sure there is no temporal chance to inject a malicious code? I’m thinking something along the lines of CFI, but for processes instead of subroutines, would be useful if it could be made to work.
The whole reason this complicated method was researched is exactly because the traditional injection routes are locked down/easily monitored.
In a previous life where I had to find a way to stealthily inject Chrome (in the presence of good anti-viruses), the solution was to find an obscure type of Windows shell extension which if registered would automatically be loaded by Windows into Chrome without triggering an alert.
