Kernel Driver
Ring 0Direct kernel structure manipulation via a custom WDM driver. Provides security research capabilities that bypass usermode restrictions.
Security Research Only
The kernel driver provides powerful capabilities that can bypass Windows security mechanisms. Use only on test systems with proper authorization.
Overview
The kernel driver is located in kernelmode/DioProcess/ and provides:
- • Direct
_EPROCESSand_TOKENstructure manipulation - • Kernel callback enumeration and removal
- • PspCidTable enumeration for hidden process detection
- • Minifilter enumeration and unlinking
- • Kernel-mode injection via
RtlCreateUserThread - • Real-time system event capture (17 event types)
- • Bundled Intel VT-x hypervisor for Ring -1 operations
Windows Version Support
✓ Supported
- • Windows 10: 1507 (10240) through 22H2 (19045)
- • Windows 11: 21H2 (22000) through 24H2 (26100)
✗ Not Supported
- • Windows 8.1 and earlier
- • 32-bit Windows
- • Windows Server (untested)
Features
Installation
Load and configure the kernel driver
Process Protection
Apply/remove PPL protection via EPROCESS manipulation
Privilege Escalation
Enable all 40 Windows privileges via TOKEN modification
Callback Enumeration
List process, thread, image, object, and registry callbacks
Kernel Injection
Shellcode and DLL injection via RtlCreateUserThread
Early Injection
Inject DLLs before any user code executes
System Events
Real-time kernel event capture with SQLite persistence
PatchGuard Safety
The driver operations do not trigger PatchGuard/KPP because:
- • ✓ Data-only modifications to per-process/per-token structures
- • ✓ No kernel code patching
- • ✓ No SSDT/IDT/GDT modifications
- • ✓ No function hooking
PatchGuard only monitors code patches and critical kernel table modifications. Direct writes to _EPROCESS and _TOKEN fields are pure data modifications.
Driver Architecture
kernelmode/DioProcess/ ├── DioProcess.sln # Visual Studio solution ├── DioProcessDriver/ │ ├── DioProcessDriver.cpp # Main driver code │ ├── DioProcessDriver.h # Protection structures, version detection │ ├── DioProcessCommon.h # Shared event structures + IOCTLs │ ├── IRP/DeviceControl.cpp # IOCTL handlers │ ├── Callbacks/ # Kernel callback registration │ ├── Enumeration/ # Callback/CidTable enumeration │ ├── Injection/ # Kernel injection + early injection │ └── Hypervisor/ # Bundled Intel VT-x hypervisor └── DioProcessCli/ # Test CLI client