D
DioIPS

Hypervisor

Ring -1

DdiMon-based Intel VT-x hypervisor providing EPT shadow hooks for transparent syscall monitoring. Detects injection attempts at the lowest level.

Requirements

  • Intel VT-x — AMD processors not supported
  • Hyper-V disabled — Cannot run nested
  • Bare metal only — No VM support

Overview

The hypervisor uses Intel VT-x Extended Page Tables (EPT) to create shadow hooks on syscalls. This allows monitoring without modifying kernel code, making it invisible to most detection methods.

  • EPT hooks — Execute-only pages with shadow copies
  • Transparent — No kernel code modification
  • Ring -1 — Runs below the kernel
  • Event push — Events sent to main driver ring buffer

How EPT Hooks Work

  1. 1Hypervisor creates a shadow copy of the target page
  2. 2Original page is marked execute-only in EPT
  3. 3Shadow page contains the hook (jump to handler)
  4. 4Execution uses shadow page, reads use original page
  5. 5Handler logs the event and returns to original code

Monitored Syscalls

SyscallPurposeDetection
NtWriteVirtualMemoryWrite to process memoryCross-process injection

Additional syscalls can be hooked by extending the hypervisor configuration.

Features

EPT Shadow Hooks
Transparent syscall monitoring via Extended Page Tables
NtWriteVirtualMemory
Cross-process memory write detection for injection monitoring

Usage

  1. Ensure Hyper-V is disabled in Windows Features
  2. Start the DioIPS application
  3. Enable the hypervisor from the Dashboard
  4. View hypervisor events in the Hypervisor tab
  5. Cross-process write attempts will be logged