D
DioProcess

Hypervisor

Ring -1

Intel VT-x based hypervisor bundled into DioProcess.sys for advanced security research at the hypervisor level.

Advanced Feature

The hypervisor operates below the kernel (Ring -1) and can bypass Ring 0 protections. Use only on test systems with proper authorization.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                 DioProcess UI (Dioxus)                      │
│   Hypervisor Tab [Ring -1]                                  │
└──────────────────────────┬──────────────────────────────────┘
                           │ DeviceIoControl
┌──────────────────────────▼──────────────────────────────────┐
│              callback crate (Rust bindings)                  │
│   hv_is_running(), hv_inject_shellcode(), hv_inject_dll()   │
└──────────────────────────┬──────────────────────────────────┘
                           │ IOCTL
┌──────────────────────────▼──────────────────────────────────┐
│                  DioProcess.sys                              │
│   ┌─────────────────────────────────────────────────────┐   │
│   │  Ring 0: Kernel Driver (IOCTL handlers, memory ops) │   │
│   └──────────────────────────┬──────────────────────────┘   │
│                              │ VMCALL                        │
│   ┌──────────────────────────▼──────────────────────────┐   │
│   │  Ring -1: Bundled Hypervisor (Intel VT-x, EPT)      │   │
│   └─────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────┘

Requirements

  • Intel CPU with VT-x support
  • Hyper-V disabledbcdedit /set hypervisorlaunchtype off
  • DioProcess.sys loaded — Hypervisor is bundled, no separate driver

Features

EPT Hooks
Install execution-page hooks via hypervisor EPT
Memory Scanner
Physical memory scanning via CR3 page table walk
Ring -1 Injection
Shellcode and DLL injection via hypervisor physical memory access
Process Hiding
Hide processes and drivers from Ring 0 enumeration

Key Capabilities

Physical Memory Access

Read/write physical memory via EPT translation, bypassing Ring 0 protections

EPT Hooks

Split-page hooks where read shows original bytes, execute shows patched bytes

VMCALL Interface

Hypercall interface for Ring 0 to Ring -1 communication

CR3 Page Table Walk

Physical memory scanning via direct page table traversal

PatchGuard Safety

Hypervisor operations do not trigger PatchGuard:

  • • ✓ Data-only modifications to usermode memory
  • • ✓ Hypervisor operates outside PatchGuard's monitoring scope
  • • ✓ No kernel code patching or table modifications

Implementation

  • Locationkernelmode/.../Hypervisor/
  • Hypercall key69420 (hardcoded)
  • Virtualization — OS virtualized at driver load time