From 38aa7f29df84fc6be6cf8e441a4150303f2eb805 Mon Sep 17 00:00:00 2001
From: xerox <xerox@back.engineering>
Date: Mon, 17 Aug 2020 22:29:12 +0000
Subject: [PATCH] Update README.md

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6903232..6e6a8ab 100644
--- a/README.md
+++ b/README.md
@@ -16,4 +16,7 @@ If you run a battleye protected game, open cheat engine, attach to `lsass.exe`,
 
 This inline hook jumps to shellcode that packages all of the parameter values passed to `NtReadVirtualMemory` into the stack and then jumps to `DeviceIoControl`...
 
-<img src="https://imgur.com/DpFyC9p.png"/>
\ No newline at end of file
+<img src="https://imgur.com/DpFyC9p.png"/>
+
+Now that you have a basic understanding of how this system works (and sorta why it is), lets look at what we can do!
+To begin we need to extract the driver handle at runtime, this can be done simply by extracting the address of the shellcode out of the inline hook of `NtReadVirtualMemory`.
\ No newline at end of file