An Introduction to Sleep Obfuscation for Malware (2023)

56 points by jstrieb 1 year ago | 3 comments
  • enoent 1 year ago
    Sleep obfuscation seems to be viable because scanners only execute periodically. I'm not very familiar with Windows internals, but why don't these scanners hook the VirtualProtect calls and only then scan the associated memory region? My understanding on using ROP is to make the calls seem to originate from trusted modules, but couldn't a kernel driver / hypervisor be able to detect all these calls regardless? Is it just too taxing on overall system performance or is there some other limitation?
    • tsujamin 1 year ago
      VirtualProtect might be unhooked in userspace by the payload, and the payload might only be decrypted for a short moment (to run a task, do a beacon cycle) so you’d have to be quick capturing its unobfuscated form.

      Not sure if you can actually hook/intercept VirtualProtect on the kernel side, probably not due to the performance and safety implications, but there are ETW feeds that emit telemetry for the call now (https://undev.ninja/introduction-to-threat-intelligence-etw/)

    • kelsey98765431 1 year ago
      excellent write up, i wonder if rather than sleeping using some regular math benches could better hide sleeps without being too heavy on a cpu...