From edef0b233ee69ea1e3899cb810a637bd1877bf21 Mon Sep 17 00:00:00 2001
From: xerox <xerox@back.engineering>
Date: Mon, 17 Aug 2020 22:08:38 +0000
Subject: [PATCH] Update README.md

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8a99d0c..806d71f 100644
--- a/README.md
+++ b/README.md
@@ -5,4 +5,8 @@ is not something you can inject from usermode, lsass.exe is (although it can be
 
 The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to `BEDaisy`. In other words: you can
 open a handle with `PROCESS_QUERY_LIMITED_INFORMATION` and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy
-rather they use the handle to get the EPROCESS of the process that the handle is opened on.
\ No newline at end of file
+rather they use the handle to get the EPROCESS of the process that the handle is opened on.
+
+<img src="https://imgur.com/fdthCQb.png"/>
+
+As you can see you can open any handle with any access and then pass it along to bedaisy and it will read/write for you...
\ No newline at end of file