D
DioProcess

Ring -1 Injection

Hypervisor

Inject shellcode and DLLs via hypervisor physical memory access, bypassing Ring 0 protections.

Bypasses Ring 0 Protections

Ring -1 injection writes directly to physical memory via EPT, making it invisible to Ring 0 monitoring tools.

Methods

HV Shellcode Injection

Allocate RWX memory from Ring 0, write shellcode via hypervisor physical memory access.

  1. Open target process, allocate RWX memory via ZwAllocateVirtualMemory
  2. Touch memory via RtlZeroMemory while attached — creates physical backing
  3. Detach from process context
  4. VMCALL to hypervisor: EPT translate virtual → physical, write shellcode
  5. Create thread via RtlCreateUserThread at shellcode address

HV DLL Injection

Same physical memory approach for LoadLibraryW-based DLL injection.

  1. Allocate memory for DLL path, touch to page in
  2. VMCALL to write DLL path via physical memory
  3. Resolve LoadLibraryW via GetLoadLibraryWAddress()
  4. Create thread with RtlCreateUserThread(LoadLibraryW, path_addr)

Key Advantages

  • Physical memory writes — Bypasses Ring 0 memory protections
  • Invisible to Ring 0 — Monitoring tools can't see the writes
  • EPT translation — Direct virtual → physical address conversion
  • No usermode API calls — Bypasses all usermode hooks

Memory Paging Requirement

Important

Memory must be "paged in" before the hypervisor can write. Allocated virtual memory has no physical backing until accessed. The driver touches memory with RtlZeroMemorywhile attached to the process context to force page-in.

Usage

Access via two methods:

From Process Context Menu

Right-click process → Miscellaneous → HV Inject Shellcode (Ring -1) orHV Inject DLL (Ring -1)

From Hypervisor Tab

Hypervisor tab → Injection section → Select process, browse for shellcode/DLL

Return Values

HvInjectResult (Shellcode)

  • bytes_written — Bytes written via VMCALL
  • thread_handle — Handle to created thread
  • shellcode_address — Where shellcode was written
  • success — Operation result

HvInjectDllResult (DLL)

  • module_base — Base address of loaded DLL
  • path_address — Where DLL path was written
  • success — Operation result

IOCTLs

IOCTLCode
HV_INJECT_SHELLCODE0x840
HV_INJECT_DLL0x841