From 3c3cc307ce39e46cb9a3193fb84de7f334384d43 Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Fri, 3 Nov 2023 16:17:59 +0100
Subject: [PATCH] Userland hooks: ignore api-ms-* DLLs

---
 EDRSandblast/UserlandBypass/UserlandHooks.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/EDRSandblast/UserlandBypass/UserlandHooks.c b/EDRSandblast/UserlandBypass/UserlandHooks.c
index a6c1c5e..857bd80 100644
--- a/EDRSandblast/UserlandBypass/UserlandHooks.c
+++ b/EDRSandblast/UserlandBypass/UserlandHooks.c
@@ -426,6 +426,9 @@ _Ret_notnull_ HOOK* searchHooks(const char* csvFileName) {
         if (dll_name.Buffer == NULL) {
             continue;
         }
+        if (!_wcsnicmp(dll_name.Buffer, L"api-ms", 6)) {
+            continue;
+        }
         WCHAR* moduleName = currentModuleEntry->FullDllName.Buffer;
 
         if (!hooksFoundInLastModule) {