D
DioIPS

Structures

Technical

Data structures used in driver communication.

Event Header

Common header for all events:

struct EventHeader {
    event_type: u16,      // Event type ID
    event_size: u16,      // Total event size in bytes
    timestamp: u64,       // FILETIME timestamp
    process_id: u32,      // Source process ID
    thread_id: u32,       // Source thread ID
}

Process Event

struct ProcessEvent {
    header: EventHeader,
    parent_pid: u32,           // Parent process ID
    creating_pid: u32,         // Creating process ID
    exit_code: u32,            // Exit code (for exit events)
    image_path_len: u16,       // Length of image path
    command_line_len: u16,     // Length of command line
    // Followed by:
    // image_path: [u16; image_path_len]
    // command_line: [u16; command_line_len]
}

Network Event

struct NetworkEvent {
    header: EventHeader,
    protocol: u8,              // IPPROTO_TCP, IPPROTO_UDP, etc.
    direction: u8,             // 0 = inbound, 1 = outbound
    local_addr: [u8; 4],       // Local IPv4 address
    remote_addr: [u8; 4],      // Remote IPv4 address
    local_port: u16,           // Local port
    remote_port: u16,          // Remote port
    process_name_len: u16,     // Length of process name
    // Followed by:
    // process_name: [u16; process_name_len]
}

Registry Event

struct RegistryEvent {
    header: EventHeader,
    operation: u8,             // Create, Open, SetValue, etc.
    status: u32,               // NTSTATUS result
    key_path_len: u16,         // Length of key path
    value_name_len: u16,       // Length of value name
    // Followed by:
    // key_path: [u16; key_path_len]
    // value_name: [u16; value_name_len]
}

File Event

struct FileEvent {
    header: EventHeader,
    operation: u8,             // Create, Write, Delete, etc.
    is_pe: u8,                 // 1 if PE file detected
    file_size: u64,            // File size in bytes
    file_path_len: u16,        // Length of file path
    // Followed by:
    // file_path: [u16; file_path_len]
}

Image Load Event

struct ImageLoadEvent {
    header: EventHeader,
    image_base: u64,           // Base address
    image_size: u64,           // Size in bytes
    flags: u32,                // System/kernel image flags
    image_path_len: u16,       // Length of image path
    // Followed by:
    // image_path: [u16; image_path_len]
}

Injection Event

struct InjectionEvent {
    header: EventHeader,
    injection_type: u8,        // RemoteThread, Handle, etc.
    source_pid: u32,           // Source process ID
    target_pid: u32,           // Target process ID
    access_mask: u32,          // Requested access rights
    source_name_len: u16,      // Length of source name
    target_name_len: u16,      // Length of target name
    // Followed by:
    // source_name: [u16; source_name_len]
    // target_name: [u16; target_name_len]
}

IPS Rule

struct IpsRule {
    rule_id: u32,              // Unique rule ID
    enabled: u8,               // 0 = disabled, 1 = enabled
    match_type: u8,            // Process, File, Network, etc.
    action: u8,                // Log, Alert, Block, Kill
    pattern_len: u16,          // Length of pattern
    // Followed by:
    // pattern: [u16; pattern_len]
}

Notes

  • • All strings are UTF-16LE encoded
  • • Structures are packed (no padding)
  • • Variable-length data follows fixed fields
  • • Use event_size to skip to next event