Sleep obfuscation seems to be viable because scanners only execute periodically. I'm not very familiar with Windows internals, but why don't these scanners hook the VirtualProtect calls and only then scan the associated memory region? My understanding on using ROP is to make the calls seem to originate from trusted modules, but couldn't a kernel driver / hypervisor be able to detect all these calls regardless? Is it just too taxing on overall system performance or is there some other limitation?
Sleep obfuscation seems to be viable because scanners only execute periodically. I'm not very familiar with Windows internals, but why don't these scanners hook the VirtualProtect calls and only then scan the associated memory region? My understanding on using ROP is to make the calls seem to originate from trusted modules, but couldn't a kernel driver / hypervisor be able to detect all these calls regardless? Is it just too taxing on overall system performance or is there some other limitation?