Advanced Windows Process Monitor
The God Process for Windows. Dio means God in Latin — DioProcess is the ultimate process manager and security research toolkit.
Built with Rust andDioxus for maximum performance.
Four Layers of Power
From usermode APIs to hypervisor-level control, DioProcess provides comprehensive system access for security research and analysis.
- •Process, thread, handle, module enumeration
- •7 DLL injection methods (LoadLibrary to Manual Map)
- •3 shellcode injection techniques
- •Process hollowing, ghosting, herpaderping
- •Hook detection and DLL unhooking
- •Token theft and impersonation
- •Process protection (PPL) manipulation
- •Token privilege escalation (40 privileges)
- •Callback enumeration and removal
- •PspCidTable enumeration (hidden process detection)
- •Minifilter enumeration and unlinking
- •Real-time system event capture (17 event types)
- •EPT hooks (Hex, Assembly, Detour modes)
- •Physical memory scanner via CR3 page table walk
- •Ring -1 shellcode and DLL injection
- •Process hiding from Ring 0 enumeration
- •Driver hiding via EPT manipulation
- •.dph hook script system for portable hooks
- •Driver Signature Enforcement (DSE) bypass
- •PatchGuard (KPP) bypass
- •Custom boot animation support
- •NVRAM-based configuration persistence
- •ExitBootServices hook architecture
- •EDK2-based DXE driver
Comprehensive Capabilities
DLL Injection
7 methods: LoadLibrary, Thread Hijack, APC Queue, EarlyBird, Remote Mapping, Function Stomping, Manual Map
Shellcode Injection
Classic, Web Staging (download from URL), and Threadless (hook-based, no new threads)
Process Masquerading
Hollowing, Ghosting, Ghostly Hollowing, Herpaderping, Herpaderping Hollowing
Hook Detection
IAT scanning for E9/E8/EB/FF25/MOV+JMP patterns with automatic unhooking
Security Research
PPL manipulation, privilege escalation, debug flag clearing, callback removal
System Events
Real-time capture of 17 kernel event types with SQLite persistence
Security Research Tool
DioProcess is designed for authorized security research and testing only. The capabilities provided can bypass Windows security mechanisms and should only be used on systems you own or have explicit permission to test.
- Requires administrator privileges
- Kernel driver requires test signing mode or valid signature
- Hypervisor features require Hyper-V to be disabled
- UEFI bootkit requires Secure Boot to be disabled
Ready to explore? Check out the documentation to get started.
Read the Docs