//alloc(newmem,2048,"ntdll.dll"+263E6)
alloc(newmem,2048,"ntdll.SbSelectProcedure"+36)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:

// ntdll.SbSelectProcedure+36 > mov r8,[rax+000002D8]
// pntest "ntdll.dll"+263E6 1803 978
// 11     "ntdll.dll"+47EC6 1703 978
// 33     "ntdll.dll"+F006  1511 c2c
// 41                       1511 c2c
// lap                      1903 B80
// 42                       1511 c2c
// 43     "ntdll.dll"+47EC6 1703 978
// 52                       1511 c2c


// [r8] > 978 = Batt01.net.exe UTF-16 (WCHAR) 1803
// [r8] > B80 = Batt01.net.exe UTF-16 (WCHAR) 1903

mov r8,[rax+000002D8]

push rax
mov rax,newmem+500 // vtmem

cmp [r8+978],00610042 // Batt01.net.exe
jne if00
cmp [r8+978+4],00740074 // Batt01.net.exe
jne if00
mov [rax],r8
if00:

cmp [r8+B80],00610042 // Batt01.net.exe
jne if01
cmp [r8+B80+4],00740074 // Batt01.net.exe
jne if01
mov [rax],r8
if01:

pop rax


exit:
jmp returnhere


//"ntdll.dll"+263E6:
"ntdll.SbSelectProcedure"+36:




jmp newmem
nop
nop
returnhere: