From 93b5788cc0182bcd42943acd807809394f7f1649 Mon Sep 17 00:00:00 2001
From: Codepulze <151552809+EvilBytecode@users.noreply.github.com>
Date: Sat, 22 Jun 2024 14:35:51 +0100
Subject: [PATCH] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 7273986..20e412e 100644
--- a/README.md
+++ b/README.md
@@ -5,8 +5,8 @@ This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tra
 ### INFO
 The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:
 
-1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function.
-2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing.
+1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.
+2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.
 3. Sets File attributes to Hidden and System to : `Microsoft.PowerShell_profile.ps1`.
 
 ### Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.