From 764006818b4655108292a9a8883904eb23bf27c0 Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Thu, 4 Feb 2021 10:00:02 +0000
Subject: [PATCH] Update README.md

---
 README.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/README.md b/README.md
index 078730a..b09a105 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,79 @@ This project inherits VDM and uses GDRV by default but you can use whatever meth
 The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM hook NtShutdownSystem and since NtShutdownSystem
 only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall...
 
+```cpp
+VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction)
+{
+     ULONG Id, Number, ArgumentCount, i;
+     PKPCR Pcr;
+     ULONG_PTR ServiceTable, Offset;
+     PKSERVICE_TABLE_DESCRIPTOR DescriptorTable;
+     PVOID SystemCall;
+     PVOID* Argument;
+     PVOID Arguments[0x11]; // Maximum 17 arguments
+     KIRQL OldIrql;
+     ASSERT(TrapFrame->Reserved == 0xBADB0D00);
+ 
+     //
+     // Increase count of system calls
+     //
+     Pcr = KeGetPcr();
+     Pcr->CurrentPrcb->KeSystemCalls++;
+ 
+     //
+     // Get the system call ID
+     //
+     Id = Instruction & 0xFFFFF;
+     //DPRINT1("[SWI] (%x) %p (%d) \n", Id, Thread, Thread->PreviousMode);
+ 
+     //
+     // Get the descriptor table
+     //
+     ServiceTable = (ULONG_PTR)Thread->ServiceTable;
+     Offset = ((Id >> SERVICE_TABLE_SHIFT) & SERVICE_TABLE_MASK);
+     ServiceTable += Offset;
+     DescriptorTable = (PVOID)ServiceTable;
+ 
+     //
+     // Get the service call number and validate it
+     //
+     Number = Id & SERVICE_NUMBER_MASK;
+     if (Number > DescriptorTable->Limit)
+     {
+         //
+         // Check if this is a GUI call
+         //
+         UNIMPLEMENTED;
+         ASSERT(FALSE);
+     }
+ 
+     //
+     // Save the function responsible for handling this system call
+     //
+     SystemCall = (PVOID)DescriptorTable->Base[Number];
+ 
+     //
+     // Check if this is a GUI call
+     //
+     if (Offset & SERVICE_TABLE_TEST)
+     {
+         //
+         // TODO
+         //
+         UNIMPLEMENTED;
+         ASSERT(FALSE);
+     }
+ 
+     //
+     // Check how many arguments this system call takes
+     //
+     ArgumentCount = DescriptorTable->Number[Number] / 4;
+     ASSERT(ArgumentCount <= 17);
+     
+     // ... etc ...
+```
+
+
 The functions which need to be called that have more then four parameters are passed up inside of a structure in rcx and a pointer to the wide string path is passed up in rdx. 
 For all intense and purposes you can ignore the kernel part of this...