Sleep obfuscation seems to be viable because scanners only execute periodically. I'm not very familiar with Windows internals, but why don't these scanners hook the VirtualProtect calls and only then scan the associated memory region? My understanding on using ROP is to make the calls seem to originate from trusted modules, but couldn't a kernel driver / hypervisor be able to detect all these calls regardless? Is it just too taxing on overall system performance or is there some other limitation?
VirtualProtect might be unhooked in userspace by the payload, and the payload might only be decrypted for a short moment (to run a task, do a beacon cycle) so you’d have to be quick capturing its unobfuscated form.
Not sure if you can actually hook/intercept VirtualProtect on the kernel side, probably not due to the performance and safety implications, but there are ETW feeds that emit telemetry for the call now (https://undev.ninja/introduction-to-threat-intelligence-etw/)
