From 0e530802d40d90eec4ba9a1faa663be9884775f2 Mon Sep 17 00:00:00 2001
From: zhwu2697 <zhwu2697@uni.sydney.edu.au>
Date: Fri, 4 Jun 2021 23:32:16 +1000
Subject: [PATCH] fixed header sizes

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b65cb97..4bc9d07 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ I did eventually come up with a third method, and it was to let procmon do its t
 
 ## disabling defender
 
-### x64 Debug 
+## x64 Debug 
 
 If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet  
 There is a lot of occurance with the following registry directory: "Software\\Policies\\Microsoft\\Windows Defender"  
@@ -92,14 +92,14 @@ Another one opened here:
 008CEFF8  043EB4C8  L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
 ```
 
-## enabling defender
+### enabling defender
 
 there seems to be a reference with "Policy Manager" using RegEnumKeyExW  
 
 It seems to call RegDeleteValueW on security health (see above)  
 
 
-## poc 2: hooks
+## reversing w hooks
 We are going to write a simple dll to inject into defender control to dump out the parameters of the functions we are interested in.  
 
 Here are the logs: