Its depends on payload's behavior too,if makes many suspicious tasks like add startup key,out connection,copy itself among others,then should be more difficult to hide it to avs.
Depends too of your defense,i mean like anti dumps(try to protect in some way some memory parts), anti emulation and anti debug to avoid av's code emulation and its sandbox.
In personal experience api hook are not needed,you can use other ways like syscalls or change apis flow of your loader or simply both.Here there are some tips about runtime detection:
Quote:
|
https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
|