API Reference

Complete reference for IOCTLs, structures, and the DioProcessSDK C++ class.

SDK Header: sdk/DioProcessSDK.h - Single header-only SDK with 90+ IOCTLs, 70+ structures, and 60+ wrapper functions.

Driver IOCTLs

All IOCTLs use METHOD_BUFFERED and FILE_ANY_ACCESS.

Event Collection0x800-0x804

IOCTL	Code	Description
START_COLLECTION	0x800	Start event collection
STOP_COLLECTION	0x801	Stop event collection
GET_COLLECTION_STATE	0x802	Get collection state
REGISTER_CALLBACKS	0x803	Register kernel callbacks
UNREGISTER_CALLBACKS	0x804	Unregister kernel callbacks

Security Research0x805-0x808

IOCTL	Code	Description
PROTECT_PROCESS	0x805	Apply PPL protection
UNPROTECT_PROCESS	0x806	Remove PPL protection
ENABLE_PRIVILEGES	0x807	Enable all token privileges
CLEAR_DEBUG_FLAGS	0x808	Clear debug indicators

Callback Enumeration0x809-0x81F

IOCTL	Code	Description
ENUM_PROCESS_CALLBACKS	0x809	Enumerate process callbacks
ENUM_THREAD_CALLBACKS	0x80A	Enumerate thread callbacks
ENUM_IMAGE_CALLBACKS	0x80B	Enumerate image load callbacks
ENUM_PSPCIDTABLE	0x80F	Enumerate PspCidTable
ENUM_OBJECT_CALLBACKS	0x810	Enumerate object callbacks
ENUM_MINIFILTERS	0x811	Enumerate minifilters
ENUM_REGISTRY_CALLBACKS	0x81E	Enumerate registry callbacks

Hypervisor0x820-0x844

IOCTL	Code	Description
HV_START	0x820	Start hypervisor
HV_STOP	0x821	Stop hypervisor
HV_PING	0x822	Check if hypervisor running
HV_PROTECT_PROCESS	0x830	Hide process via EPT
HV_HIDE_DRIVER	0x834	Hide driver via EPT
HV_INJECT_SHELLCODE	0x840	Ring -1 shellcode injection
HV_INJECT_DLL	0x841	Ring -1 DLL injection
HV_READ_VM	0x842	Read virtual memory via HV
HV_WRITE_VM	0x843	Write virtual memory via HV

Kernel Injection0x80C-0x80E

IOCTL	Code	Description
KERNEL_INJECT_SHELLCODE	0x80C	Kernel shellcode injection
KERNEL_INJECT_DLL	0x80D	Kernel DLL injection
KERNEL_MANUAL_MAP	0x80E	Kernel manual map injection

Callback Removal & Restore0x812-0x81D

IOCTL	Code	Description
REMOVE_PROCESS_CALLBACK	0x812	Remove process callback by index
REMOVE_THREAD_CALLBACK	0x814	Remove thread callback by index
REMOVE_IMAGE_CALLBACK	0x815	Remove image callback by index
REMOVE_OBJECT_CALLBACK	0x816	Remove object callback
UNLINK_MINIFILTER	0x817	Unlink minifilter callbacks
RESTORE_*_CALLBACK	0x819-0x81D	Restore removed callbacks
REMOVE_REGISTRY_CALLBACK	0x81F	Remove registry callback

Early Injection0x850-0x852

IOCTL	Code	Description
EARLY_INJECT_ARM	0x850	Arm early injection for process
EARLY_INJECT_DISARM	0x851	Disarm early injection
EARLY_INJECT_STATUS	0x852	Get early injection status

Hiding Features0x870-0x8A2

IOCTL	Code	Description
FILEHIDE_HIDE/UNHIDE/LIST	0x870-0x872	Hide files via minifilter
PROCESS_HIDE/UNHIDE/LIST	0x880-0x882	DKOM process hiding
PORT_HIDE/UNHIDE/LIST	0x8A0-0x8A2	NSI port hiding

Physical Memory & VA Translation0x890-0x894

IOCTL	Code	Description
TRANSLATE_VA	0x890	4-level page table walk
READ_PHYSICAL	0x891	Read physical memory
WRITE_PHYSICAL	0x892	Write physical memory
PHYS_READ_VM	0x893	Bulk VM read via CR3 walk (64KB)
ENUM_VM_REGIONS	0x894	Enumerate VM regions (kernel-side)

EPT Hooks & Register Changes0x8B0-0x8C3

IOCTL	Code	Description
EPT_HOOK_INSTALL	0x8B0	Install EPT split-page hook
EPT_HOOK_REMOVE	0x8B1	Remove EPT hook
EPT_HOOK_INSTALL_DETOUR	0x8B3	Install EPT detour with code cave
REG_CHANGE_INSTALL	0x8C0	Modify registers at RIP via EPT+MTF
HIDE_MEMORY	0x8D0	Hide memory protection via MMPFN

Process Control & Kill0x8E0-0x8FA

IOCTL	Code	Description
KILL_TERMINATE	0x8E0	ZwTerminateProcess
KILL_UNMAP	0x8E1	Unmap process memory
KILL_PEB_CORRUPT	0x8E2	Corrupt PEB to crash process
SUSPEND/RESUME_PROCESS	0x8F1-0x8F2	Suspend/resume process
SUSPEND/RESUME/TERMINATE_THREAD	0x8F4-0x8F6	Thread control
ENUM_SYSTEM_THREADS	0x8F7	Enumerate system threads
ENUM_ALL_KERNEL_THREADS	0x8F9	Enumerate all kernel threads

Packet Capture (WFP)0x900-0x908

IOCTL	Code	Description
PACKET_START_CAPTURE	0x900	Start packet capture for PID
PACKET_STOP_CAPTURE	0x901	Stop packet capture
PACKET_GET_PACKETS	0x902	Retrieve captured packets
PACKET_INJECT	0x903	Inject packet
PACKET_ADD/REMOVE_FILTER	0x904-0x905	Manage packet filters

DioProcessSDK C++ Class

Header-only SDK class with 60+ wrapper functions. Include sdk/DioProcessSDK.h and use directly.

Quick Start

#include "DioProcessSDK.h"

DioProcessSDK sdk;
if (sdk.Open()) {
    // Protect current process
    sdk.ProtectProcess(GetCurrentProcessId());
    
    // Start hypervisor
    sdk.HvStart();
    
    // Enumerate callbacks
    BYTE buffer[4096];
    DWORD bytes;
    sdk.EnumProcessCallbacks(buffer, sizeof(buffer), &bytes);
    
    sdk.Close();
}

SDK Methods by Category

Connection

Open() → BOOL
Close() → void
IsOpen() → BOOL
GetHandle() → HANDLE

Collection

StartCollection() → BOOL
StopCollection() → BOOL
GetCollectionState(response*) → BOOL
RegisterCallbacks() → BOOL
UnregisterCallbacks() → BOOL

Process Protection

ProtectProcess(pid) → BOOL
UnprotectProcess(pid) → BOOL
ProtectProcessWithLevel(pid, level) → BOOL
EnablePrivileges(pid) → BOOL
ClearDebugFlags(pid) → BOOL

Callback Enumeration

EnumProcessCallbacks(buf, size, bytes*) → BOOL
EnumThreadCallbacks(buf, size, bytes*) → BOOL
EnumImageCallbacks(buf, size, bytes*) → BOOL
EnumObjectCallbacks(buf, size, bytes*) → BOOL
EnumRegistryCallbacks(buf, size, bytes*) → BOOL
EnumMinifilters(buf, size, bytes*) → BOOL
EnumDrivers(buf, size, bytes*) → BOOL
EnumPspCidTable(buf, size, bytes*) → BOOL

Callback Removal

RemoveProcessCallback(index) → BOOL
RemoveThreadCallback(index) → BOOL
RemoveImageCallback(index) → BOOL
RemoveObjectCallback(index, type, pre, post) → BOOL
RemoveRegistryCallback(index) → BOOL
UnlinkMinifilter(name) → BOOL

Callback Restore

RestoreProcessCallback(index) → BOOL
RestoreThreadCallback(index) → BOOL
RestoreImageCallback(index) → BOOL
RestoreObjectCallback(index, type, pre, post) → BOOL
RestoreRegistryCallback(index) → BOOL

Kernel Injection

KernelInjectShellcode(pid, code, size, resp*) → BOOL
KernelInjectDll(pid, path, resp*) → BOOL
KernelManualMap(pid, bytes, size, flags, resp*) → BOOL

Hypervisor Control

HvStart() → BOOL
HvStop() → BOOL
HvPing(resp*) → BOOL
HvInstallHooks() → BOOL
HvRemoveHooks() → BOOL
HvProtectProcess(pid) → BOOL
HvUnprotectProcess(pid) → BOOL
HvListProtected(resp*) → BOOL

HV Driver Hiding

HvHideDriver(name) → BOOL
HvUnhideDriver(name) → BOOL
HvIsDriverHidden(name, resp*) → BOOL
HvListHiddenDrivers(resp*) → BOOL
HvClearHiddenDrivers() → BOOL

HV Memory Operations

HvReadVm(pid, addr, size, buf, bytes*) → BOOL
HvWriteVm(pid, addr, data, size, bytes*) → BOOL

Early Injection

EarlyInjectArm(proc, dll, method, oneShot) → BOOL
EarlyInjectDisarm() → BOOL
EarlyInjectStatus(resp*) → BOOL

Hiding Features

HideFile(path) / UnhideFile(path) → BOOL
ListHiddenFiles(resp*) → BOOL
HideProcess(pid) / UnhideProcess(pid) → BOOL
ListHiddenProcesses(resp*) → BOOL
HidePort(port) / UnhidePort(index) → BOOL
ListHiddenPorts(resp*) → BOOL
HideMemory(pid, addr, prot) → BOOL

Physical Memory

TranslateVa(pid, va, resp*) → BOOL
ReadPhysical(pa, buf, size, bytes*) → BOOL
WritePhysical(pa, data, size, bytes*) → BOOL
PhysReadVm(pid, va, buf, size, bytes*) → BOOL
EnumVmRegions(pid, buf, size, bytes*) → BOOL

EPT Hooks

EptHookInstall(pid, addr, patch, size, resp*) → BOOL
EptHookRemove(index) → BOOL
EptHookList(resp*) → BOOL
RegChangeInstall(pid, addr, reg, val, resp*) → BOOL
RegChangeRemove(index) → BOOL
RegChangeList(resp*) → BOOL

Process Control

KillProcessTerminate(pid) → BOOL
KillProcessUnmap(pid) → BOOL
KillProcessPebCorrupt(pid) → BOOL
SuspendProcess(pid) / ResumeProcess(pid) → BOOL
SuspendThread(tid) / ResumeThread(tid) → BOOL
TerminateThread(tid) → BOOL
EnumSystemThreads(buf, size, bytes*) → BOOL
EnumAllKernelThreads(buf, size, bytes*) → BOOL

Packet Capture

PacketStartCapture(pid) → BOOL
PacketStopCapture() → BOOL
PacketGetState(resp*) → BOOL
PacketGetPackets(buf, size, bytes*) → BOOL
PacketAddFilter(rule*) → BOOL
PacketRemoveFilter(index) → BOOL
PacketClearFilters() / PacketClearBuffer() → BOOL

Key Structures

TargetProcessRequest

Used for process-targeted operations

struct TargetProcessRequest {
    ULONG ProcessId;
};

CallbackInformation

Returned by callback enumeration

struct CallbackInformation {
    CHAR ModuleName[256];
    ULONG64 CallbackAddress;
    ULONG64 ModuleBase;
    ULONG64 ModuleOffset;
    ULONG Index;
};

CidEntry

PspCidTable enumeration result

struct CidEntry {
    ULONG Id;              // PID or TID
    ULONG64 ObjectAddress; // EPROCESS or ETHREAD
    CidObjectType Type;    // Process or Thread
    ULONG ParentPid;
    CHAR ProcessName[16];
};

KernelInjectShellcodeResponse

Kernel shellcode injection result

struct KernelInjectShellcodeResponse {
    ULONG64 AllocatedAddress;
    BOOLEAN Success;
};

HvPingResponse

Hypervisor status

struct HvPingResponse {
    BOOLEAN IsRunning;
    BOOLEAN HooksInstalled;
    ULONG ProtectedProcessCount;
};

TranslateVaResponse

Page table walk result

struct TranslateVaResponse {
    ULONG64 Cr3;
    PageTableEntryResult Pml4e, Pdpte, Pde, Pte;
    ULONG64 PhysicalAddress;
    ULONG PageSize;
    UCHAR WalkDepth;
    UCHAR Success;
};

EptHookInstallResponse

EPT hook installation result

struct EptHookInstallResponse {
    ULONG HookIndex;
    BOOLEAN Success;
};

CapturedPacketData

WFP captured packet

struct CapturedPacketData {
    ULONG64 Id, Timestamp;
    ULONG ProcessId;
    PacketDirection Direction;
    PacketProtocol Protocol;
    ULONG LocalAddr, RemoteAddr;
    USHORT LocalPort, RemotePort;
    USHORT PayloadSize;
    UCHAR Payload[1500];
};

Rust Crate Functions

callback crate

• is_driver_loaded() -> bool
• protect_process(pid) -> Result
• unprotect_process(pid) -> Result
• enable_all_privileges(pid) -> Result
• clear_debug_flags(pid) -> Result
• enumerate_process_callbacks() -> Result<Vec<CallbackInfo>>
• enumerate_pspcidtable() -> Result<Vec<CidEntry>>
• hv_inject_shellcode(pid, &[u8]) -> Result<HvInjectResult>
• hv_inject_dll(pid, &str) -> Result<HvInjectDllResult>

misc crate

• inject_dll(pid, path) -> Result
• inject_dll_manual_map(pid, path) -> Result
• inject_shellcode_classic(pid, path) -> Result
• inject_shellcode_threadless(pid, path, dll, func) -> Result
• hollow_process(host, payload) -> Result
• ghost_process(payload) -> Result
• steal_token(pid, exe, args) -> Result
• scan_process_hooks(pid) -> Result<Vec<HookInfo>>
• unhook_dll_remote(pid, dll, base) -> Result