From fc61c5e6055ab460e140ba5e4ff2200d6699dd34 Mon Sep 17 00:00:00 2001
From: nganhkhoa <mail.nganhkhoa@gmail.com>
Date: Tue, 18 Feb 2020 17:44:14 +0700
Subject: [PATCH] update sample ouput

---
 README.md | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8ab9f40..cd4f57a 100644
--- a/README.md
+++ b/README.md
@@ -528,8 +528,18 @@ for (int i = 0; i < 100; i++) {
   DbgPrint("eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + ImageBaseOffset));
 }
 
-// TODO: update output
-
+// sample output
+eprocess : 0xFFFFF8037401F528, [               ]
+eprocess : 0xFFFF840F5A0D9080, [         System]
+eprocess : 0xFFFF840F5A28C040, [  Secure System]
+eprocess : 0xFFFF840F5A2EF040, [       Registry]
+eprocess : 0xFFFF840F622BF040, [       smss.exe]
+eprocess : 0xFFFF840F6187D080, [       smss.exe]
+eprocess : 0xFFFF840F6263D140, [      csrss.exe]
+eprocess : 0xFFFF840F6277F0C0, [       smss.exe]
+eprocess : 0xFFFF840F627C2080, [    wininit.exe]
+eprocess : 0xFFFF840F64187140, [      csrss.exe]
+eprocess : 0xFFFF840F641CD080, [   services.exe]
 ```
 
 And if we debug and compare the address of that `Empty EPROCESS+ActiveProcessLinksOffset` with `nt!PsActiveProcessHead`, it is just the same. And with the given offset parsed from the PDB file, we can get kernel base address.