From 58c6949c604d08d1640a04155c9b7db7fcf825da Mon Sep 17 00:00:00 2001
From: xerox <xerox@back.engineering>
Date: Sun, 26 Jul 2020 01:53:53 +0000
Subject: [PATCH] Update README.md

---
 README.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7b86e86..4eb571c 100644
--- a/README.md
+++ b/README.md
@@ -3,4 +3,20 @@
 reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's `MmGetSystemRoutineAddress` we can simply hook any imports
 we want and have control flow over subsequent functions.
 
-<img src="https://imgur.com/NFGyGrY.png"/>
\ No newline at end of file
+<img src="https://imgur.com/NFGyGrY.png"/>
+
+# APCS
+
+The below function will be executed in each thread that bedaisy registers an APC on.
+
+```cpp
+__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
+{
+  __int64 v4; // rbx
+
+  __asm { rcl     bh, cl }
+  v4 = *a3;
+  *(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
+  return KeSetEvent(v4 + 88, 0i64, 0i64);
+}
+```
\ No newline at end of file