From c206543e78a00c960b86f3cd6c2fd82a0290281d Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 4 Feb 2021 10:02:10 +0000 Subject: [PATCH] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b7f8ee..c799165 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,11 @@ This project inherits VDM and uses GDRV by default but you can use whatever meth # fdelete-km -The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM hook NtShutdownSystem and since NtShutdownSystem +The kernel module part of this project is used to generate the assembly to call kernel functions with over four parameters. VDM temp hooks NtShutdownSystem and since NtShutdownSystem only takes four parameters, some of the required functions cannot be called since the arguments are not copied from the usermode stack to the kernel stack in KiSystemCall... +note: I choose NtShutdownSystem since its in every single windows version ever and inline hooking this function wouldnt cause any race conditions lol. + ```cpp VOID KiSystemService(IN PKTHREAD Thread, IN PKTRAP_FRAME TrapFrame, IN ULONG Instruction) {