Update README.md

EvilBytecode · Jun 22, 2024 · 93b5788 · 93b5788
1 parent bcc4e13
commit 93b5788
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -5,8 +5,8 @@ This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tra
 ### INFO
 The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:
 
-1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function.
-2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing.
+1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.
+2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.
 3. Sets File attributes to Hidden and System to : `Microsoft.PowerShell_profile.ps1`.
 
 ### Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.