D
DioProcess

Kernel Driver

Ring 0

Direct kernel structure manipulation via a custom WDM driver. Provides security research capabilities that bypass usermode restrictions.

Security Research Only

The kernel driver provides powerful capabilities that can bypass Windows security mechanisms. Use only on test systems with proper authorization.

Overview

The kernel driver is located in kernelmode/DioProcess/ and provides:

  • • Direct _EPROCESS and _TOKEN structure manipulation
  • • Kernel callback enumeration and removal
  • • PspCidTable enumeration for hidden process detection
  • • Minifilter enumeration and unlinking
  • • Kernel-mode injection via RtlCreateUserThread
  • • Real-time system event capture (17 event types)
  • • Bundled Intel VT-x hypervisor for Ring -1 operations

Windows Version Support

✓ Supported

  • • Windows 10: 1507 (10240) through 22H2 (19045)
  • • Windows 11: 21H2 (22000) through 24H2 (26100)

✗ Not Supported

  • • Windows 8.1 and earlier
  • • 32-bit Windows
  • • Windows Server (untested)

Features

Installation
Load and configure the kernel driver
Process Protection
Apply/remove PPL protection via EPROCESS manipulation
Privilege Escalation
Enable all 40 Windows privileges via TOKEN modification
Callback Enumeration
List process, thread, image, object, and registry callbacks
Kernel Injection
Shellcode and DLL injection via RtlCreateUserThread
Early Injection
Inject DLLs before any user code executes
System Events
Real-time kernel event capture with SQLite persistence

PatchGuard Safety

The driver operations do not trigger PatchGuard/KPP because:

  • • ✓ Data-only modifications to per-process/per-token structures
  • • ✓ No kernel code patching
  • • ✓ No SSDT/IDT/GDT modifications
  • • ✓ No function hooking

PatchGuard only monitors code patches and critical kernel table modifications. Direct writes to _EPROCESS and _TOKEN fields are pure data modifications.

Driver Architecture

kernelmode/DioProcess/
├── DioProcess.sln              # Visual Studio solution
├── DioProcessDriver/
│   ├── DioProcessDriver.cpp    # Main driver code
│   ├── DioProcessDriver.h      # Protection structures, version detection
│   ├── DioProcessCommon.h      # Shared event structures + IOCTLs
│   ├── IRP/DeviceControl.cpp   # IOCTL handlers
│   ├── Callbacks/              # Kernel callback registration
│   ├── Enumeration/            # Callback/CidTable enumeration
│   ├── Injection/              # Kernel injection + early injection
│   └── Hypervisor/             # Bundled Intel VT-x hypervisor
└── DioProcessCli/              # Test CLI client