D
DioProcess

EPT Hooks

Install execution-page hooks via hypervisor EPT (Extended Page Tables). The read-page shows original bytes while the execute-page shows patched bytes.

Input Modes

Hex Mode

Simple

Patch execution page with raw hex bytes. Supports formats: 90 90 90,0x90, 909090. Max 256 bytes.

Assembly Mode

Intel Syntax

Write Intel syntax assembly, assembled at target address with live byte preview. Save/load .aa assembly script files.

Detour Mode

Advanced

Allocate RWX cave near hook point (±2GB for JMP rel32), assemble detour code there, EPT hook redirects execution via JMP.

  • • Return jump auto-appended: FF 25 00 00 00 00 [8-byte abs addr]
  • • Stolen bytes minimum: 5 (for E9 JMP rel32 + NOP padding)
  • • Default stolen bytes: 6

.dph Hook Script System

Save EPT hook configurations to .dph (DioProcess Hook) files for portable, repeatable hook application. Scripts survive process restarts via module+offset addressing.

example.dph
# DioProcess Hook Script
[hook]
name = My Hook
target = Tutorial-x86_64.exe+45D7D
mode = detour
stolen_bytes = 6

[code]
add [rbx+0x7F8], edx

Fields

  • name — Display name (optional, defaults to filename)
  • targetmodule+offset or absolute hex 0x7FF645D7D
  • modehex, assembly (or asm), or detour
  • stolen_bytes — Only for detour mode (default 6, minimum 5)
  • [code] — Everything after this line is the hook payload

Usage

Install EPT Hook

  1. Navigate to Memory Scanner tab
  2. Select a process and scan for values
  3. Right-click a result → Install EPT Hook
  4. Choose input mode (Hex/Assembly/Detour)
  5. Enter hook code
  6. Click Install

Save .dph Script

Click "Save .dph" on any active EPT hook row. Address is reverse-resolved tomodule+offset format.

Load .dph Script

  1. Memory Scanner → Scripts sub-tab
  2. Click Load .dph
  3. Script appears in table with "Pending" status
  4. Click Apply or Apply All

Apply from Process Context Menu

Right-click process → Miscellaneous → Apply .dph Script → browse file

Active Hooks Table

Shows all installed EPT hooks with:

  • • Hook index
  • • Target PID
  • • Target address
  • • Patch size
  • • Actions: Save .dph, Remove

Functions

FunctionDescription
install_ept_hook()Install EPT hook, returns hook index
remove_ept_hook()Remove EPT hook by index
list_ept_hooks()List all active hooks
assemble()Assemble Intel syntax to bytes