From 083a00df4034057821b827e06dacec0c30585fdb Mon Sep 17 00:00:00 2001
From: "Ilya V. Matveychikov" <matvejchikov@gmail.com>
Date: Mon, 2 Jul 2018 14:26:08 +0400
Subject: [PATCH] Update README.md

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 730094b..0d1de7f 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ Environment:
 Core capabilities:
  - Persistency
  - Management interface
+ - Altering system (library) behaviour
  
 Stealth capabilities:
  - Detection evasion
@@ -24,7 +25,7 @@ Hiding stuff capabilities:
 Additional functions:
  - Keylogger
  - Backdoor/shell
- - Gain priveleges
+ - Gaining priveleges
 
 ## :see_no_evil: user mode rootkits
 
@@ -67,6 +68,7 @@ Additional functions:
   | Environment | 2.6.x/3.x/4.x (x86) | `sys_call_table` search method is x86-only |
   | Persistency | /etc/modules or /etc/rc.modules | Boot-time module loading using OS-specific startup files.  |
   | Management interface | `kill(2)` | `sys_call_table[__NR_kill]` |
+  | Altering system (library) behaviour | Hooking of system calls | `sys_call_table` patching using `CR0/WP`   |
   | Hiding (tampering) of file contents | Filtering while reading | `sys_call_table[__NR_read]` |
   | Hiding of files and directories | Filtering of directory entries | `sys_call_table[__NR_getdents]`  `sys_call_table[__NR_getdents64]` |
   | Hiding of processes and process trees | Filtering of `/proc` | Filtering PID-like numeric entries while listing `/proc`. Hidden tasks are marked using `task->flags \| 0x10000000`. Not able to hide all threads and children of hidden (parent) process. |