[Mehdi]

Hi
As title says, I want to be able to watch what IOCTLs are sent to a specific kernel driver.
I use IRP Tracker, but it's closed automatically after sniffing (about 3 to 10 seconds after capture starts)
There was once a utility named "WDM Sniffer" by Numega.
Does someone know of any utility that can help me ?
Thanks in advance

[EP_X0FF]

Hello,

something from http://esagelab.com/resources.php?s=ioctl_fuzzer can be useful.

Regards.

[Mehdi]

Thank you very much
I'd heard of this utility, but didn't know it lists the IOCTLs (the "fuzzer" in name is somewhat misnomer)

[EP_X0FF]

Well, it's not exactly what you want, but I've used it in past for listing data send to driver from user mode app.

[Alex]

DeviceFilter 2.2 (http://www.ntkernel.com/w&p.php?id=21) is really good tool, try also IRPTrace 1.00.007 (http://www.tssc.de/index.htm#).

[Fyyre]

Hook IopXxxControlFile and writing your own filtering/fuzzing routines.

[EP_X0FF]

DeviceIoView from Nir Sofer also can be useful. It works by hooking NtDeviceIoControlFile function in target process.