Kernel Hiding
Ring -1Hide processes, files, and network ports from kernel-level enumeration using hypervisor EPT manipulation.
Security Research Only
Overview
The DioProcess hypervisor operates at Ring -1 (below the kernel), allowing it to intercept and modify kernel data structures without being detected by the kernel itself. This enables hiding of:
- • Processes — Unlink from ActiveProcessLinks and PspCidTable
- • Files — Filter directory enumeration results
- • Ports — Hide from netstat/Get-NetTCPConnection
Requirements
- • DioProcess kernel driver with bundled hypervisor loaded
- • Intel VT-x capable processor with EPT support
- • Hyper-V disabled (hypervisorlaunchtype off)
- • Secure Boot disabled
Features
How EPT Hiding Works
Extended Page Tables (EPT) provide a second layer of address translation controlled by the hypervisor. By manipulating EPT entries, the hypervisor can:
- Intercept reads/writes to specific physical memory addresses
- Present different data to guest reads vs actual memory contents
- Modify kernel data structures transparently to the OS
This makes hypervisor-level hiding extremely difficult to detect from within the guest OS, as the kernel cannot directly observe the hypervisor's manipulations.
Detection Considerations
While Ring -1 hiding is powerful, it can still be detected via:
- • Timing analysis (EPT violations add measurable latency)
- • CPUID leaf checks for virtualization
- • Comparison of multiple enumeration methods
- • Hardware performance counters
- • Another hypervisor observing the first hypervisor
UI Access
Hiding features are available in the Hypervisor tab and in the process context menu:
- • Hypervisor tab — Manage all hiding rules
- • Process context menu → Miscellaneous → Hide Process (Ring -1)