From 60e55eaf7ccb76121a3c10f4c9fe6382a7b1002f Mon Sep 17 00:00:00 2001
From: Andrey Bazhan <andrey@comae.io>
Date: Tue, 6 Feb 2018 21:00:36 +0200
Subject: [PATCH] Update readme

---
 README.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/README.md b/README.md
index 71513a7..4c0b43f 100644
--- a/README.md
+++ b/README.md
@@ -241,6 +241,20 @@ You can read more about the Windows Subsystem for Linux at the following links:
 					Stack Address:       0x00007FFFF70D0000
 ```
 
+### !ms_yarascan
+
+Scan a process memory with yara rules.
+
+Scan a process memory.
+```
+!ms_yarascan /pid 0x228 /yarafile /yarafile C:\Rules.yar
+```
+
+Scan all processes memory.
+```
+!for_each_process "r? @$t0 = (nt!_EPROCESS *) @#Process; .process /r /p @$t0; !ms_yarascan /pid @@C++(@$t0->UniqueProcessId) /yarafile C:\\Rules.yar"
+```
+
 ## Classes
 ### PEFile
 `MsPEImageFile` contains the basic common information used by Windows binaries (PE) and has been derivated into three different classes: