IOCTL Codes
TechnicalDevice I/O control codes for communication with the kernel driver.
Overview
The DioIPS application communicates with the kernel driver using IOCTLs (I/O Control codes) via the DeviceIoControl API.
Device Name
\\\\.\\DioIPSIOCTL Codes
| Code | Name | Description |
|---|---|---|
| 0x800 | IOCTL_GET_EVENTS | Retrieve pending events from ring buffer |
| 0x804 | IOCTL_SET_RULES | Sync IPS rules to kernel |
| 0x808 | IOCTL_GET_STATUS | Get driver status and statistics |
| 0x80C | IOCTL_ENABLE_MODULE | Enable/disable monitoring module |
| 0x810 | IOCTL_CLEAR_EVENTS | Clear event ring buffer |
| 0x814 | IOCTL_GET_VERSION | Get driver version info |
| 0x818 | IOCTL_NDIS_EVENTS | Retrieve NDIS filter events |
| 0x81C | IOCTL_HV_EVENTS | Retrieve hypervisor events |
IOCTL_GET_EVENTS
Retrieves pending events from the kernel ring buffer.
Input
MaxEvents: u32
Output
EventCount: u32
Events: [Event; N]
IOCTL_SET_RULES
Syncs IPS rules from usermode to kernel for high-performance matching.
Input
RuleCount: u32
Rules: [Rule; N]
Output
Status: u32
Usage Example
// Rust example
let handle = CreateFileW(
"\\\\.\\DioIPS",
GENERIC_READ | GENERIC_WRITE,
0, null, OPEN_EXISTING, 0, null
);
let mut events = vec![0u8; 65536];
let mut bytes_returned = 0u32;
DeviceIoControl(
handle,
IOCTL_GET_EVENTS,
&max_events, size_of::<u32>(),
events.as_mut_ptr(), events.len(),
&mut bytes_returned, null
);