From 3cc9287dd6471e11a9948977876584af41fa2d0b Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Mon, 8 Mar 2021 22:05:51 +0000
Subject: [PATCH] Update README.md

---
 README.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/README.md b/README.md
index 71da5f9..3f5bda1 100644
--- a/README.md
+++ b/README.md
@@ -719,6 +719,34 @@ ffff998b`c5368c90 c3              ret
 
 <img src="https://githacks.org/_xeroxz/theodosius/-/raw/a5de4b8a1a6cf32bb0213d8d9602f5dc955275b1/imgs/um-example-2.png"/>
 
+This example uses WinAPI's to allocate virtual memory in another process and also to copy virtual memory. Only exported routines from loaded DLL's in the target process can be resolved.
+
+```cpp
+theo::resolve_symbol_t _resolver = 
+	[&, &extern_symbols = extern_symbols](const char* symbol_name) -> std::uintptr_t
+{
+	auto loaded_modules = std::make_unique<HMODULE[]>(64);
+	std::uintptr_t result = 0u, loaded_module_sz = 0u;
+
+	if (!EnumProcessModules(phandle, 
+		loaded_modules.get(), 512, (PDWORD)&loaded_module_sz))
+		return {};
+
+	for (auto i = 0u; i < loaded_module_sz / 8u; i++)
+	{
+		wchar_t file_name[MAX_PATH] = L"";
+		if (!GetModuleFileNameExW(phandle, 
+			loaded_modules.get()[i], file_name, _countof(file_name)))
+			continue;
+
+		if ((result = reinterpret_cast<std::uintptr_t>(
+			GetProcAddress(LoadLibrary(file_name), symbol_name))))
+			break;
+	}
+	return result;
+};
+```
+
 # License - BSD 3-Clause
 
 Copyright (c) 2021, _xeroxz