The only thing that I can think of that would do this is the Chromium sandbox - it does use EAT patching as one of the techniques for function hooking (which is obviously only useful in the case where none of the library's function pointers have been resolved yet) [[1](https://searchfox.org/mozilla-central/rev/b59a99943de4dd314bae4e44ab43ce7687ccbbec/security/sandbox/chromium/sandbox/win/src/interception_agent.cc#210)]. That would make sense to be coming from `firefox.exe` since that's where the Chromium parts live.
Bug 1509748 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The only thing that I can think of that would do this is the Chromium sandbox - it does use EAT patching as one of the techniques for function hooking (which is obviously only useful in the case where none of the library's function pointers have been resolved yet) [[1](https://searchfox.org/mozilla-central/rev/b59a99943de4dd314bae4e44ab43ce7687ccbbec/security/sandbox/chromium/sandbox/win/src/interception_agent.cc#210)][[2](https://searchfox.org/mozilla-central/rev/b59a99943de4dd314bae4e44ab43ce7687ccbbec/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc#126)]. That would make sense to be coming from `firefox.exe` since that's where the Chromium parts live.