Foliage / FOLIAGE-style sleep masks

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

3 syscalls cited

NtLockVirtualMemory
Pins a virtual memory region in the process's working set so its pages cannot be paged out.
NtUnlockVirtualMemory
Releases a working-set lock previously taken by NtLockVirtualMemory.
NtSignalAndWaitForSingleObject
Atomically signals one dispatcher object and waits on another in a single, race-free transition.