EPT Shadow Hooks
Ring -1Transparent syscall monitoring via Intel VT-x Extended Page Tables.
Hardware Requirements
- • Intel processor with VT-x and EPT support
- • Hyper-V must be disabled
- • Bare metal only (no VM support)
Overview
EPT (Extended Page Tables) shadow hooks allow monitoring syscalls without modifying kernel code. The hypervisor creates a shadow copy of the target page with the hook, while reads see the original unmodified page.
How It Works
┌─────────────────────────────────────────────────┐ │ Guest OS │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Read Access │ │ Exec Access │ │ │ └──────┬──────┘ └──────┬──────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Original │ │ Shadow Page │ │ │ │ Page (R--) │ │ (--X + Hook)│ │ │ └─────────────┘ └─────────────┘ │ ├─────────────────────────────────────────────────┤ │ EPT (Hypervisor) │ └─────────────────────────────────────────────────┘
EPT Permissions
| Page | Read | Write | Execute |
|---|---|---|---|
| Original | ✓ | ✓ | ✗ |
| Shadow | ✗ | ✗ | ✓ |
When code executes, it uses the shadow page (with hook). When code reads the same address (e.g., integrity check), it sees the original unmodified bytes.
Advantages
Transparent
No visible code modifications. Integrity checks see original bytes.
PatchGuard Safe
No kernel code patching. PatchGuard cannot detect EPT-based hooks.
Ring -1
Runs below the kernel. Cannot be bypassed by kernel-mode code.
Low Overhead
Only triggers on hooked functions. Normal execution is unaffected.
DdiMon Base
DioIPS uses DdiMon as the hypervisor base. DdiMon is a hypervisor-based tool for monitoring and controlling kernel-mode API calls using EPT.
- • Intel VT-x virtualization
- • EPT-based invisible hooks
- • Minimal performance impact
Usage
- Disable Hyper-V in Windows Features
- Reboot the system
- Start DioIPS application
- Enable hypervisor from the Dashboard
- View events in the Hypervisor tab