From d676ff82f51655903317ce7e489fb5ac00ad806c Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Wed, 8 Dec 2021 18:22:33 +0100
Subject: [PATCH] Added some safety check in hook resolving code

---
 EDRSandblast/Userland/UserlandHooks.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/EDRSandblast/Userland/UserlandHooks.c b/EDRSandblast/Userland/UserlandHooks.c
index 4267073..f65dbb2 100644
--- a/EDRSandblast/Userland/UserlandHooks.c
+++ b/EDRSandblast/Userland/UserlandHooks.c
@@ -432,6 +432,11 @@ PVOID hookResolver(PBYTE hookAddr) {
 	PBYTE destination = hookAddr;
 	BOOL hasFollowedJmp = FALSE;
 	while (TRUE) {
+		MEMORY_BASIC_INFORMATION mbi;
+		VirtualQuery(destination, &mbi, sizeof(mbi));
+		if (mbi.State != MEM_COMMIT) {
+			return NULL;
+		}
 		switch (destination[0]) {
 		case 0xE9:
 		{