Update README.md

4 years ago · 25a8ad710a
parent 47f88db8e8
commit 25a8ad710a
1 changed files with 25 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -496,6 +496,31 @@ Again this is just a demo/POC on how you can inherit `obfuscate`. This also show
 # Examples

 ### Kernel Example
+
+This example uses MSREXEC and Theodosius to map unsigned code into the kernel. This example is inside of the "Examples" folder. I would also like to note that in this demo external unexported ntoskrnl symbols are resolved by using a MAP file. This map file looks like this:
+
+```
+ 00000001:0000000000000F10       KiOpTwoByteTable
+ 00000001:0000000000001168       SeSubsystemName
+ 00000001:0000000000001180       PlugPlayHandlerTable
+ 00000001:00000000000013E0       PiDmAggregatedBooleanDefs
+ 00000001:0000000000001490       PiDmCachedDeviceKeys
+ 00000001:0000000000001580       PiDmCachedDeviceInterfaceKeys
+ 00000001:00000000000015F0       AllowedCachedObjectNames
+ 00000001:0000000000001640       EmptyUnicodeString
+```
+
+Mind the space at the beginning of each line. If you want to generate a file like this, put ntoskrnl.exe into IDA Pro and then click File ---> Produce File ---> Create MAP File, dont select "Segment Information", but do select "Demangled Names". After the MAP file is generate, please delete all of the garbage at the beginning of the file. I.E delete all spaces and "Address, Public By Value" stuff.
+
+```
+
+
+  Address         Publics by Value
+
+ 00000001:0000000000000000       VrpRegistryString
+ ....
+```
+
 ### Usermode Example

 # License - BSD 3-Clause