Created this pointless C# POC.
— Rasta Mouse (@_RastaMouse) October 1, 2021
Inject sRDI shellcode into self (which does nothing but call Sleep). Hook this API and each time it's called, XOR the region of memory the shellcode lives in. Then XOR is back after the sleep has elapsed.
PE-Sieve shows the 2 different outputs. pic.twitter.com/Uijf2g9ElT