Process & Driver Hiding
Hide processes and kernel drivers from Ring 0 enumeration via EPT manipulation.
Process Hiding
Hide processes from Ring 0 enumeration tools. The process continues to run but becomes invisible to kernel-level process enumeration.
IOCTLs
- •
HV_PROTECT_PROCESS(0x830) — Hide process - •
HV_UNPROTECT_PROCESS(0x831) — Unhide process - •
HV_IS_PROCESS_PROTECTED(0x832) — Check if hidden - •
HV_LIST_PROTECTED(0x833) — List hidden processes
Driver Hiding
Hide kernel drivers from Ring 0 enumeration. Useful for hiding the DioProcess driver itself or other drivers from detection.
IOCTLs
- •
HV_HIDE_DRIVER(0x834) — Hide driver by name - •
HV_UNHIDE_DRIVER(0x835) — Unhide driver - •
HV_IS_DRIVER_HIDDEN(0x836) — Check if hidden - •
HV_REMOVE_HIDDEN_DRIVER(0x837) — Remove from hidden list - •
HV_CLEAR_HIDDEN_DRIVERS(0x838) — Clear all hidden - •
HV_LIST_HIDDEN_DRIVERS(0x839) — List hidden drivers
Maximum of 16 drivers can be hidden simultaneously (MAX_HIDDEN_DRIVERS).
How It Works
The hypervisor uses EPT (Extended Page Tables) to manipulate memory visibility:
- • EPT hooks intercept memory reads to kernel structures
- • Hidden entries are filtered from enumeration results
- • The actual process/driver continues to execute normally
- • Only Ring 0 enumeration is affected — Ring -1 can still see everything
Usage
Access via the Hypervisor tab:
- • Process Hiding section — Select process, click Hide/Unhide
- • Driver Hiding section — Enter driver name (e.g., "dpdrv.sys"), click Hide
- • View currently hidden items in the respective lists
Structures
| Structure | Fields |
|---|---|
| HideDriverRequest | DriverName[64] |
| DriverHiddenResponse | IsHidden, HiddenCount |
| HiddenDriverListResponse | Count, DriverNames[16][64] |