API Reference

C/C++

Complete documentation of all 80+ DioProcess SDK methods organized by category.

DioProcessSDK Class

Main SDK class that wraps driver communication.

class DioProcessSDK {
public:
    DioProcessSDK();
    ~DioProcessSDK();
    
    BOOL Open();
    void Close();
    BOOL IsOpen() const;
    
    // 80+ methods organized by category below
};

Connection Methods

Method	Returns	Description
Open()	BOOL	Open handle to \\.\DioProcess driver
Close()	void	Close driver handle
IsOpen()	BOOL	Check if driver handle is valid

Collection Control Methods

Control kernel callback event collection.

Method	Returns	Description
StartCollection()	BOOL	Start collecting callback events
StopCollection()	BOOL	Stop callback event collection
GetCollectionState()	BOOL	Query whether collection is active
RegisterCallbacks()	BOOL	Register kernel callbacks (Ps, Ob, Cm)
UnregisterCallbacks()	BOOL	Unregister all kernel callbacks

Process Protection Methods

Manipulate kernel-level process protection (PPL/PS_PROTECTION).

Method	Returns	Description
ProtectProcess(ULONG pid)	BOOL	Apply PPL protection to process (WinTcb signer)
UnprotectProcess(ULONG pid)	BOOL	Remove PPL protection from process
ProtectProcessEx(ULONG pid, ProcessProtectionLevel level)	BOOL	Apply specific protection level (None/Light/Full)
EnableAllPrivileges(ULONG pid)	BOOL	Enable all 40 token privileges (SeDebugPrivilege, etc.)
ClearDebugFlags(ULONG pid)	BOOL	Clear anti-debug flags (DebugPort, BeingDebugged, NtGlobalFlag)

Callback Enumeration Methods

Enumerate registered kernel callbacks from various subsystems.

Method	Output Structure
EnumProcessCallbacks(buf, size, &returned)	CallbackInformation[]
EnumThreadCallbacks(buf, size, &returned)	CallbackInformation[]
EnumImageCallbacks(buf, size, &returned)	CallbackInformation[]
EnumObjectCallbacks(buf, size, &returned)	ObjectCallbackInformation[]
EnumRegistryCallbacks(buf, size, &returned)	RegistryCallbackInformation[]
EnumMinifilters(buf, size, &returned)	MinifilterInformation[]

All enumeration methods return ULONG count at buffer start, followed by array of structures.

Callback Removal Methods

Remove (NOP out) kernel callbacks by index.

Method	Returns	Description
RemoveProcessCallback(ULONG index)	BOOL	Remove process callback by index
RemoveThreadCallback(ULONG index)	BOOL	Remove thread callback by index
RemoveImageCallback(ULONG index)	BOOL	Remove image load callback by index
RemoveObjectCallback(ULONG index)	BOOL	Remove object callback (ObRegisterCallbacks)
RemoveRegistryCallback(ULONG index)	BOOL	Remove registry callback by index
UnlinkMinifilter(LPCWSTR name)	BOOL	Unlink minifilter callbacks by name

Callback Restore Methods

Restore previously removed kernel callbacks.

Method	Returns	Description
RestoreProcessCallback(ULONG index)	BOOL	Restore removed process callback
RestoreThreadCallback(ULONG index)	BOOL	Restore removed thread callback
RestoreImageCallback(ULONG index)	BOOL	Restore removed image callback
RestoreObjectCallback(ULONG index)	BOOL	Restore removed object callback
RestoreRegistryCallback(ULONG index)	BOOL	Restore removed registry callback

Hypervisor Control Methods

Control the Ring -1 hypervisor.

Method	Returns	Description
HvStart()	BOOL	Start the hypervisor (virtualize OS)
HvStop()	BOOL	Stop the hypervisor
HvPing(HvPingResponse*)	BOOL	Get hypervisor status and hook count
HvProtectProcess(ULONG pid)	BOOL	Hide process via hypervisor EPT
HvUnprotectProcess(ULONG pid)	BOOL	Unhide process from EPT
HvHideDriver(LPCWSTR name)	BOOL	Hide driver from enumeration
HvUnhideDriver(LPCWSTR name)	BOOL	Unhide driver
HvInjectShellcode(pid, buf, size)	BOOL	Ring -1 shellcode injection via EPT
HvInjectDll(pid, path)	BOOL	Ring -1 DLL injection via EPT
HvInstallHooks()	BOOL	Install all EPT hooks
HvRemoveHooks()	BOOL	Remove all EPT hooks

HV Memory Methods

Read/write memory via hypervisor EPT.

Method	Returns	Description
HvReadVm(ULONG pid, ULONG64 addr, buf, size)	BOOL	Read virtual memory via hypervisor
HvWriteVm(ULONG pid, ULONG64 addr, buf, size)	BOOL	Write virtual memory via hypervisor

DKOM Hiding Methods

Hide processes via Direct Kernel Object Manipulation.

Method	Returns	Description
HideProcess(ULONG pid)	BOOL	Unlink process from ActiveProcessLinks
UnhideProcess(ULONG pid)	BOOL	Relink process to list
EnumHiddenProcesses(buf, size, &count)	BOOL	List currently hidden processes

File Hiding Methods

Hide files from directory enumeration.

Method	Returns	Description
HideFile(LPCWSTR path)	BOOL	Hide file from directory listing
UnhideFile(LPCWSTR path)	BOOL	Unhide file
EnumHiddenFiles(buf, size, &count)	BOOL	List currently hidden files

Port Hiding Methods

Hide TCP/UDP ports from network enumeration.

Method	Returns	Description
HidePort(USHORT port, UCHAR proto)	BOOL	Hide TCP(6) or UDP(17) port
UnhidePort(USHORT port, UCHAR proto)	BOOL	Unhide port
EnumHiddenPorts(buf, size, &count)	BOOL	List currently hidden ports

Memory Hiding Methods

Hide memory regions from process enumeration.

Method	Returns	Description
HideMemory(ULONG pid, ULONG64 addr, ULONG size)	BOOL	Hide memory region from VAD enumeration

Kernel Injection Methods

Inject code from Ring 0 via RtlCreateUserThread.

Method	Returns	Description
KernelInjectShellcode(req, resp)	BOOL	Ring 0 shellcode injection
KernelInjectDll(req, resp)	BOOL	Ring 0 DLL injection via LoadLibraryW
KernelManualMap(req, resp)	BOOL	Ring 0 manual mapping (no IAT)

Early Injection Methods

Inject DLLs at process creation before user code runs.

Method	Returns	Description
EarlyInjectArm(target, dllPath, oneShot)	BOOL	Arm injection for target process name
EarlyInjectDisarm()	BOOL	Disarm early injection
EarlyInjectStatus(EarlyInjectStatusResponse*)	BOOL	Get injection state and count

Physical Memory Methods

Direct physical memory access via MmCopyMemory.

Method	Returns	Description
TranslateVa(pid, virtAddr, TranslateVaResp*)	BOOL	Walk CR3 page tables VA → PA
ReadPhysical(physAddr, buf, size)	BOOL	Read from physical address
WritePhysical(physAddr, buf, size)	BOOL	Write to physical address
PhysReadVm(pid, virtAddr, buf, size)	BOOL	Read via translate + physical read

VM Region Methods

Enumerate virtual memory regions.

Method	Returns	Description
EnumVmRegions(pid, buf, size, &count)	BOOL	List VM regions via VAD tree walk

EPT Hook Methods

Install invisible execute-page hooks via Extended Page Tables.

Method	Returns	Description
EptHookInstall(pid, addr, patch, size, &idx)	BOOL	Install EPT hook with patch bytes
EptHookRemove(ULONG hookIndex)	BOOL	Remove EPT hook by index
EptHookList(buf, size, &count)	BOOL	List all active EPT hooks

Register Change Methods

Monitor and modify registers at specific addresses.

Method	Returns	Description
RegChangeInstall(pid, addr, reg, op, val, &idx)	BOOL	Install register change hook
RegChangeRemove(ULONG hookIndex)	BOOL	Remove register change by index
RegChangeRemoveAll()	BOOL	Remove all register changes
RegChangeList(buf, size, &count)	BOOL	List all register changes

Process Kill Methods

Various methods to terminate protected processes.

Method	Returns	Description
KillProcessTerminate(ULONG pid)	BOOL	Terminate via ZwTerminateProcess
KillProcessUnmap(ULONG pid)	BOOL	Unmap main module sections
KillProcessPebCorrupt(ULONG pid)	BOOL	Corrupt PEB to crash process

Thread Control Methods

Suspend, resume, and terminate threads.

Method	Returns	Description
SuspendProcess(ULONG pid)	BOOL	Suspend all threads in process
ResumeProcess(ULONG pid)	BOOL	Resume all threads in process
SuspendThread(ULONG tid)	BOOL	Suspend single thread
ResumeThread(ULONG tid)	BOOL	Resume single thread
TerminateThread(ULONG tid)	BOOL	Terminate thread via ZwTerminateThread

System Thread Enumeration

Enumerate kernel-mode system threads.

Method	Returns	Description
EnumSystemThreads(buf, size, &count)	BOOL	List system threads (PID 4)
EnumAllKernelThreads(buf, size, &count)	BOOL	List all kernel-mode threads

Packet Capture Methods

Network packet capture via NDIS filter driver.

Method	Returns	Description
PacketStartCapture(interfaceIdx)	BOOL	Start capturing on interface
PacketStopCapture()	BOOL	Stop packet capture
PacketGetPackets(buf, size, &count)	BOOL	Retrieve captured packets
PacketAddFilter(filterRule)	BOOL	Add BPF-style packet filter
PacketRemoveFilter(filterId)	BOOL	Remove packet filter
PacketClearFilters()	BOOL	Clear all packet filters
PacketGetStats(PacketCaptureStats*)	BOOL	Get capture statistics
PacketEnumInterfaces(buf, size, &count)	BOOL	List available network interfaces

Memory Copy Methods

Read process memory via MmCopyVirtualMemory.

Method	Returns	Description
CopyMemory(pid, srcAddr, dstBuf, size)	BOOL	Copy memory from target process (KsDumper-style)

Configuration Methods

Configure driver offsets for different Windows versions.

Method	Returns	Description
SetRegistryCallbackOffsets(cookie, context)	BOOL	Set CM_CALLBACK offsets
SetEthreadOffsets(startAddr, win32Start)	BOOL	Set ETHREAD field offsets
SetThreadApiAddresses(suspend, resume, term)	BOOL	Set thread API function addresses

Key Structures

// Callback information (process, thread, image)
struct CallbackInformation {
    ULONG Index;                                // Callback slot index
    ULONG64 CallbackAddress;                    // Kernel address
    CHAR ModuleName[MAX_MODULE_NAME_LENGTH];    // Driver name
};

// Object callback (ObRegisterCallbacks)
struct ObjectCallbackInformation {
    CHAR ModuleName[MAX_MODULE_NAME_LENGTH];
    CHAR Altitude[MAX_ALTITUDE_LENGTH];
    ObjectCallbackType ObjectType;
    ObjectCallbackOperations Operations;
    ULONG64 PreOperationCallback;
    ULONG64 PostOperationCallback;
    ULONG Index;
};

// CID table entry
struct CidTableEntry {
    ULONG Id;                                   // PID or TID
    ULONG64 ObjectAddress;                      // EPROCESS or ETHREAD
    CidObjectType ObjectType;                   // Process or Thread
    ULONG ParentPid;                            // Parent/owner PID
    CHAR ProcessName[MAX_PROCESS_NAME_LENGTH];  // Image file name
};

// Hypervisor ping response
struct HvPingResponse {
    BOOLEAN IsRunning;
    BOOLEAN HooksInstalled;
    ULONG ProtectedProcessCount;
    ULONG HiddenDriverCount;
};

// Physical memory translation
struct TranslateVaResponse {
    ULONG64 PhysicalAddress;
    ULONG PageSize;
    BOOLEAN Valid;
};

// EPT hook info
struct EptHookInfo {
    ULONG ProcessId;
    ULONG64 TargetAddress;
    ULONG PatchSize;
    ULONG HookIndex;
    BOOLEAN Active;
};

// Register change info
struct RegisterChangeInfo {
    ULONG ProcessId;
    ULONG64 Address;
    RegisterType Register;
    ChangeOperation Operation;
    ULONG64 Value;
    ULONG HookIndex;
    BOOLEAN Active;
};

// Hidden port info
struct HiddenPortInfo {
    USHORT Port;
    UCHAR Protocol;      // 6 = TCP, 17 = UDP
    ULONG Index;
};

// Packet capture entry
struct PacketEntry {
    ULONG64 Timestamp;
    ULONG Length;
    UCHAR Direction;     // 0 = inbound, 1 = outbound
    BYTE Data[MAX_PACKET_SIZE];
};

// Kernel inject request/response
struct KernelInjectShellcodeRequest {
    ULONG ProcessId;
    ULONG ShellcodeSize;
    BYTE Shellcode[4096];
};

struct KernelInjectResponse {
    ULONG64 ShellcodeAddress;
    ULONG64 ModuleBase;
    ULONG64 ThreadHandle;
    BOOLEAN Success;
};

// Early injection status
struct EarlyInjectStatusResponse {
    BOOLEAN Armed;
    WCHAR TargetProcess[MAX_PATH];
    WCHAR DllPath[MAX_PATH];
    BOOLEAN OneShot;
    ULONG InjectionCount;
    ULONG LastInjectedPid;
};

IOCTL Codes

Direct IOCTL codes for advanced usage (grouped by category):

Code	Name	Category
0x800	IOCTL_START_COLLECTION	Collection
0x801	IOCTL_STOP_COLLECTION	Collection
0x805	IOCTL_PROTECT_PROCESS	Protection
0x806	IOCTL_UNPROTECT_PROCESS	Protection
0x807	IOCTL_ENABLE_PRIVILEGES	Protection
0x808	IOCTL_CLEAR_DEBUG_FLAGS	Protection
0x809	IOCTL_ENUM_PROCESS_CALLBACKS	Callbacks
0x80A	IOCTL_ENUM_THREAD_CALLBACKS	Callbacks
0x80B	IOCTL_ENUM_IMAGE_CALLBACKS	Callbacks
0x810	IOCTL_REMOVE_CALLBACK	Callbacks
0x820	IOCTL_HV_START	Hypervisor
0x821	IOCTL_HV_STOP	Hypervisor
0x822	IOCTL_HV_PING	Hypervisor
0x840	IOCTL_HV_INJECT_SHELLCODE	Hypervisor
0x841	IOCTL_HV_INJECT_DLL	Hypervisor
0x850	IOCTL_HIDE_PROCESS	Hiding
0x860	IOCTL_HIDE_FILE	Hiding
0x870	IOCTL_HIDE_PORT	Hiding
0x880	IOCTL_KERNEL_INJECT_SHELLCODE	Injection
0x881	IOCTL_KERNEL_INJECT_DLL	Injection
0x890	IOCTL_EARLY_INJECT_ARM	Injection
0x8A0	IOCTL_TRANSLATE_VA	Memory
0x8A1	IOCTL_READ_PHYSICAL	Memory
0x8A2	IOCTL_WRITE_PHYSICAL	Memory
0x8B0	IOCTL_EPT_HOOK_INSTALL	EPT
0x8B1	IOCTL_EPT_HOOK_REMOVE	EPT
0x8C0	IOCTL_REG_CHANGE_INSTALL	EPT
0x900	IOCTL_PACKET_START_CAPTURE	Network
0x908	IOCTL_KILL_PROCESS	Control

Full IOCTL codes available in DioProcessSDK.h (100+ codes).

Error Handling

// All methods return BOOL/bool
if (!sdk.ProtectProcess(pid)) {
    DWORD error = GetLastError();
    
    // Common error codes:
    // ERROR_ACCESS_DENIED (5)     - Not admin
    // ERROR_FILE_NOT_FOUND (2)    - Driver not loaded
    // ERROR_INVALID_PARAMETER (87)- Invalid PID
    // ERROR_NOT_SUPPORTED (50)    - Unsupported Windows version
}