Hello,
IRPMon is a tool capable of monitoring communication between drivers and applications and possibly between drivers themselves. The application is very similar to the IrpTracker utility and I created it because I needed some extra features. Well, it proved to be a day-saver several times already. Maybe, some of you find it useful too.
So, what extra features IRPMon offers:
* 64-bit compatibility. IRPMon can be run on 64-bit versions of WIndows. Since the monitoring is not implemented as inline hooks, IRPMon may be complatible with Patchguard. All depends on what drivers are you trying to monitor. The program modifies driver's IRP dispatch table, fast I/O dispatch table, AddDevice and DriverUnload routine (depending on what you wish to monitor). So, it may work well with drivers that are not watched too closely by the system.
* More event types. Apart from IRPs and their completion, IRPMon can also monitor fast I/O, driver unload, its StartIo routine and calls to the AddDevice one.
* Monitoring non-existent drivers. If you are interested in monitoring activities of PnP drivers that are not currently present in the system (because there are no devices for them to serve), IrpTracker does not help you. IRPMon, however, can be installed as a filter driver for any device setup class, so it gets loaded when other parts of the device stack appears (bus, function and filter drivers). IRPMon actually does not write itself to the registry, it rather emulates contents of necessary values, so nothing really bad should happen when it BSODs (no non-existent filters are physicaly present in the registry). Not all drivers and devices in the new device stack are monitored, that happen only to drivers with name matching exactly the given string.
* Driver unloading is possible. The IRPMon driver can be unloaded dynamically. Of course, such an approach is not entirely safe, howerver, there are some extra measures were applied to make the dynamic unload more stabile (all drivers are unhooked, the unload finishes only when no monitored IRP completion is pending).
This is actually a beta release of the program. I did not signed the binaries yet, sicne I would like to do some extra testing. and improve the documentation a little bit. Howerver, the first release should be here in about 1-2 weeks. Recently, I have obtained a new KMCS certificate and I plan to sign the first releae binaries (including the driver).
The program should run on Windows XP-10. The registry contents emulation is available starting with Windows Vista (you can still watch for non-existent PnP drivers on XP but that changes the registry).
Link to the release (the package is also attached to this post):
https://github.com/MartinDrab/IRPMon/releases/tag/0.6
The pre-release also contains a documentation in the CHM format. For those, who do not like documentations:
* To monitor certain drivers and devices, go to Action -> Select drivers / devices... and choose objects to monitor (this is very similar to IrpTracker). Use the right mouse button to select what types of operations you are interested in.
* To watch for non-existent PnP drivers, install IRPMon as a filter for some device setup classes (Action -> Watch class...) and specify names of driver objects that you actually wish to catch (Action -> Watch driver...).
All feedback is welcomed, even negative one.
IRPMon is a tool capable of monitoring communication between drivers and applications and possibly between drivers themselves. The application is very similar to the IrpTracker utility and I created it because I needed some extra features. Well, it proved to be a day-saver several times already. Maybe, some of you find it useful too.
So, what extra features IRPMon offers:
* 64-bit compatibility. IRPMon can be run on 64-bit versions of WIndows. Since the monitoring is not implemented as inline hooks, IRPMon may be complatible with Patchguard. All depends on what drivers are you trying to monitor. The program modifies driver's IRP dispatch table, fast I/O dispatch table, AddDevice and DriverUnload routine (depending on what you wish to monitor). So, it may work well with drivers that are not watched too closely by the system.
* More event types. Apart from IRPs and their completion, IRPMon can also monitor fast I/O, driver unload, its StartIo routine and calls to the AddDevice one.
* Monitoring non-existent drivers. If you are interested in monitoring activities of PnP drivers that are not currently present in the system (because there are no devices for them to serve), IrpTracker does not help you. IRPMon, however, can be installed as a filter driver for any device setup class, so it gets loaded when other parts of the device stack appears (bus, function and filter drivers). IRPMon actually does not write itself to the registry, it rather emulates contents of necessary values, so nothing really bad should happen when it BSODs (no non-existent filters are physicaly present in the registry). Not all drivers and devices in the new device stack are monitored, that happen only to drivers with name matching exactly the given string.
* Driver unloading is possible. The IRPMon driver can be unloaded dynamically. Of course, such an approach is not entirely safe, howerver, there are some extra measures were applied to make the dynamic unload more stabile (all drivers are unhooked, the unload finishes only when no monitored IRP completion is pending).
This is actually a beta release of the program. I did not signed the binaries yet, sicne I would like to do some extra testing. and improve the documentation a little bit. Howerver, the first release should be here in about 1-2 weeks. Recently, I have obtained a new KMCS certificate and I plan to sign the first releae binaries (including the driver).
The program should run on Windows XP-10. The registry contents emulation is available starting with Windows Vista (you can still watch for non-existent PnP drivers on XP but that changes the registry).
Link to the release (the package is also attached to this post):
https://github.com/MartinDrab/IRPMon/releases/tag/0.6
The pre-release also contains a documentation in the CHM format. For those, who do not like documentations:
* To monitor certain drivers and devices, go to Action -> Select drivers / devices... and choose objects to monitor (this is very similar to IrpTracker). Use the right mouse button to select what types of operations you are interested in.
* To watch for non-existent PnP drivers, install IRPMon as a filter for some device setup classes (Action -> Watch class...) and specify names of driver objects that you actually wish to catch (Action -> Watch driver...).
All feedback is welcomed, even negative one.
Attachments
IRPMon pre-release (0.6)
(2.5 MiB) Downloaded 29 times
(2.5 MiB) Downloaded 29 times
. At least for some time.