From 25a8ad710ad53084b75ba83392d886889472920b Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 8 Mar 2021 19:41:52 +0000 Subject: [PATCH] Update README.md --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index e0a8f45..2e11d3b 100644 --- a/README.md +++ b/README.md @@ -496,6 +496,31 @@ Again this is just a demo/POC on how you can inherit `obfuscate`. This also show # Examples ### Kernel Example + +This example uses MSREXEC and Theodosius to map unsigned code into the kernel. This example is inside of the "Examples" folder. I would also like to note that in this demo external unexported ntoskrnl symbols are resolved by using a MAP file. This map file looks like this: + +``` + 00000001:0000000000000F10 KiOpTwoByteTable + 00000001:0000000000001168 SeSubsystemName + 00000001:0000000000001180 PlugPlayHandlerTable + 00000001:00000000000013E0 PiDmAggregatedBooleanDefs + 00000001:0000000000001490 PiDmCachedDeviceKeys + 00000001:0000000000001580 PiDmCachedDeviceInterfaceKeys + 00000001:00000000000015F0 AllowedCachedObjectNames + 00000001:0000000000001640 EmptyUnicodeString +``` + +Mind the space at the beginning of each line. If you want to generate a file like this, put ntoskrnl.exe into IDA Pro and then click File ---> Produce File ---> Create MAP File, dont select "Segment Information", but do select "Demangled Names". After the MAP file is generate, please delete all of the garbage at the beginning of the file. I.E delete all spaces and "Address, Public By Value" stuff. + +``` + + + Address Publics by Value + + 00000001:0000000000000000 VrpRegistryString + .... +``` + ### Usermode Example # License - BSD 3-Clause