D
DioProcess

Kernel Injection

Inject shellcode and DLLs from kernel mode via RtlCreateUserThread, bypassing usermode hooks.

Bypasses Usermode Security

Kernel injection bypasses usermode hooks and monitoring. Use only for authorized security research.

Methods

Kernel Shellcode Injection

Ring 0

Allocate RWX memory in target process, write shellcode, create thread from kernel mode.

  1. Resolve RtlCreateUserThread via MmGetSystemRoutineAddress
  2. PsLookupProcessByProcessId() to get EPROCESS
  3. KeStackAttachProcess() to attach to target
  4. ZwAllocateVirtualMemory() to allocate RWX memory
  5. RtlCopyMemory() to write shellcode
  6. RtlCreateUserThread() at shellcode address
  7. Cleanup: ZwClose, KeUnstackDetachProcess, ObDereferenceObject

Kernel DLL Injection

Ring 0

Resolve LoadLibraryW in target process via PEB walking, create thread with DLL path.

  1. Resolve RtlCreateUserThread dynamically
  2. Get LoadLibraryW address in target:
    • • Get PEB via PROCESS_PEB_OFFSET[version]
    • • Walk PEB→Ldr→InLoadOrderModuleList to find kernel32.dll
    • • Parse PE export directory to find LoadLibraryW
  3. Attach to target process
  4. Allocate memory for wide-char DLL path
  5. Write DLL path via RtlCopyMemory
  6. RtlCreateUserThread(LoadLibraryW, dll_path_addr)

Advantages over Usermode Injection

  • Bypasses usermode hooks — No ntdll.dll syscall interception
  • No CreateRemoteThread — Uses kernel-only RtlCreateUserThread
  • Direct memory access — No WriteProcessMemory API calls
  • Harder to detect — No usermode API call traces

Usage

  1. Ensure the kernel driver is loaded
  2. Right-click on a process in the Process tab
  3. Navigate to Miscellaneous → Kernel Injection
  4. Select Shellcode Injection or DLL Injection
  5. Browse for shellcode file (.bin) or DLL file

Implementation

ItemLocation
Rust bindingscrates/misc/src/kernel_inject.rs
Kernel codekernelmode/.../DioProcessDriver.cpp
IOCTL (Shellcode)0x80C
IOCTL (DLL)0x80D