From e5ea9810c15f175f0c3399f51c7d14f11df58d26 Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Mon, 8 Mar 2021 19:49:49 +0000
Subject: [PATCH] Update README.md

---
 README.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 47 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b581363..ab927c0 100644
--- a/README.md
+++ b/README.md
@@ -534,10 +534,53 @@ extern "C" void* PiDDBCacheTable;
 These two symbols are simply printed out via DbgPrint. 
 
 ```cpp
-// non-exported symbols being resolved by jit linker...
-DbgPrint("> PiDDBCacheTable = 0x%p\n", &PiDDBCacheTable);
-DbgPrint("> win32kfull!NtUserRegisterShellPTPListener = 0x%p\n", &NtUserRegisterShellPTPListener);
-``
+MutateRoutine extern "C" void DrvEntry()
+{
+	DbgPrint("> Hello World!\n");
+
+	// non-exported symbols being resolved by jit linker...
+	DbgPrint("> PiDDBCacheTable = 0x%p\n", &PiDDBCacheTable);
+	DbgPrint("> win32kfull!NtUserRegisterShellPTPListener = 0x%p\n", &NtUserRegisterShellPTPListener);
+
+	// example of referencing itself...
+	DbgPrint("> DrvEntry = 0x%p\n", &DrvEntry);
+
+	// example of calling other obfuscated/non obfuscated routines...
+	PrintCR3();
+	LoopDemo();
+}
+```
+
+Once compiled the assembly will look like this. Note that each reference to symbols is done via a relocation to an absolute address. This means strings can (and will) be mapped into their own allocation of memory.
+
+```
+0X0A8:                                               public DrvEntry
+0X0A8:                               DrvEntry        proc near
+0X0A8: 48 83 EC 28                                   sub     rsp, 28h
+0X0AC: 48 B9 78 01 00 00 00 00 00 00                 mov     rcx, offset ??_C@_0BA@LBLNBFIC@?$D...; "> Hello World!\n"
+0X0B6: 48 B8 38 02 00 00 00 00 00 00                 mov     rax, offset DbgPrint
+0X0C0: FF D0                                         call    rax ; DbgPrint
+0X0C2: 48 B9 88 01 00 00 00 00 00 00                 mov     rcx, offset ??_C@_0BK@PLIIADON...; "> PiDDBCacheTable = 0x%p\n"
+0X0CC: 48 BA 40 02 00 00 00 00 00 00                 mov     rdx, offset PiDDBCacheTable
+0X0D6: 48 B8 38 02 00 00 00 00 00 00                 mov     rax, offset DbgPrint
+0X0E0: FF D0                                         call    rax ; DbgPrint
+0X0E2: 48 B9 A8 01 00 00 00 00 00 00                 mov     rcx, offset ??_C@_0DE@FLODGMCP...; "> win32kfull!NtUserRegisterShellPTPList"...
+0X0EC: 48 BA 48 02 00 00 00 00 00 00                 mov     rdx, offset NtUserRegisterShellPTPListener
+0X0F6: 48 B8 38 02 00 00 00 00 00 00                 mov     rax, offset DbgPrint
+0X100: FF D0                                         call    rax ; DbgPrint
+0X102: 48 B9 E0 01 00 00 00 00 00 00                 mov     rcx, offset ??_C@_0BD@JGN... ; "> DrvEntry = 0x%p\n"
+0X10C: 48 BA A8 00 00 00 00 00 00 00                 mov     rdx, offset DrvEntry
+0X116: 48 B8 38 02 00 00 00 00 00 00                 mov     rax, offset DbgPrint
+0X120: FF D0                                         call    rax ; DbgPrint
+0X122: 48 B8 00 00 00 00 00 00 00 00                 mov     rax, offset ?PrintCR3@@YAXXZ ; PrintCR3(void)
+0X12C: FF D0                                         call    rax ; PrintCR3(void) ; PrintCR3(void)
+0X12E: 48 B8 58 00 00 00 00 00 00 00                 mov     rax, offset ?LoopDemo@@YAXXZ ; LoopDemo(void)
+0X138: FF D0                                         call    rax ; LoopDemo(void) ; LoopDemo(void)
+0X13A: 90                                            nop
+0X13B: 48 83 C4 28                                   add     rsp, 28h               
+0X13F: C3                                            retn
+0X13F:                               DrvEntry        endp
+```
 
 ### Usermode Example