diff --git a/README.md b/README.md
index 7b86e86..a22079a 100644
--- a/README.md
+++ b/README.md
@@ -3,4 +3,40 @@
 reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's `MmGetSystemRoutineAddress` we can simply hook any imports
 we want and have control flow over subsequent functions.
 
-<img src="https://imgur.com/NFGyGrY.png"/>
\ No newline at end of file
+<img src="https://imgur.com/NFGyGrY.png"/>
+
+# APCS
+
+The below function will be executed in each thread that bedaisy registers an APC on.
+
+```cpp
+__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
+{
+  __int64 v4; // rbx
+
+  __asm { rcl     bh, cl }
+  v4 = *a3;
+  *(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
+  return KeSetEvent(v4 + 88, 0i64, 0i64);
+}
+```
+
+Registeration of APCS:
+
+```cpp
+    status = PsLookupThreadByThreadId(thread_id, &some_pethread);
+    v17 = 0;
+    if ( (int)status >= 0 )
+    {
+      allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
+      allocated_pool_1 = allocated_pool;
+      allocated_pool_2 = allocated_pool;
+      if ( allocated_pool )
+      {
+        allocated_pool_plus_58 = allocated_pool + 0x58;
+        KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
+        __asm { rcl     cx, 0C6h }
+        LOBYTE(v77) = 0;
+        KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
+        if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
+```
\ No newline at end of file