kriware 
x64 Return Address Spoofing
This article discusses a technique to evade detection by modifying the return address of Windows API calls, making malicious code appear as if it's executing from legitimate memory regions.
https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing