[ executex64 ]
https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/migrate/executex64.asm

[ x64function aka remotethread ]
https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x64/src/migrate/remotethread.asm

[ binary strings for executex64 and remotethread/x64function ]
https://github.com/rapid7/metasploit-payloads/blob/45e98c85a3dc2b55d8e907a87c0555a89e3a1aa3/c/meterpreter/source/metsrv/base_inject.c#L8  [newer]
https://github.com/rapid7/meterpreter/blob/d338f702ce8cb7f4e550f005ececaf5f3cadd2bc/source/common/arch/win/i386/base_inject.c#L15         [older]

[ Wow64 Subsystem Internals and Hooking Techniques ]
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html

[ RtlCreateUserThread ]
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FRtlCreateUserThread.html

[ origin of binary strings ]
https://githubmemory.com/repo/rapid7/metasploit-framework/issues/15625