Kernel Driver
Ring 0WDK-based kernel driver providing comprehensive system monitoring through Windows kernel callbacks. All events are pushed to usermode for display in the UI.
Test Signing Required
The kernel driver requires test signing mode to be enabled. Run
bcdedit /set testsigning on and reboot.Overview
The kernel driver monitors system activity in real-time and pushes events to the DioIPS application. Events are displayed in the corresponding UI tabs and can trigger IPS rules.
- • Process callbacks — Creation, exit, thread events
- • Registry callbacks — Key/value operations
- • File minifilter — File operations, PE detection
- • WFP callouts — Network traffic filtering
- • Image load callbacks — DLL/EXE loading
- • Object callbacks — Handle operations for injection detection
Windows Version Support
✓ Tested & Working
- • Windows 10 x64
✗ Not Supported
- • Windows 11 (untested)
- • Windows 8.1 and earlier
- • 32-bit Windows
Monitoring Features
Process Monitoring
Process/thread creation and exit events with command line capture
Registry Filtering
Registry key and value operation monitoring
File Minifilter
File system monitoring with PE write detection
WFP Network
TCP/UDP/DNS/ICMP network traffic filtering
Image Load
DLL and executable image load monitoring
Injection Detection
Remote thread and suspicious handle detection
USB Monitoring
USB device plug and unplug event tracking
Event Flow
- 1Kernel callback fires (process, registry, file, network, etc.)
- 2Event data is captured and queued in kernel ring buffer
- 3Usermode polls via IOCTL and receives batched events
- 4Events are matched against IPS rules
- 5Events are displayed in the appropriate UI tab
Usage
- Start the DioIPS application (requires Administrator)
- The driver loads automatically on startup
- Check the Dashboard tab for driver status
- View events in the corresponding tabs (Process, Network, Registry, etc.)
- Configure IPS rules to take action on specific events