IRPMon v0.8 Released

IRPMon is a tool capable of monitoring communication between drivers and applications and possibly between drivers themselves. The application is very similar to the IrpTracker utility and I created it because I needed something that works well also on new versions of Windows.

Except working on Windows XP-10, the IRPMon brings certain advantages over the IrpTracker application:

  • 64-bit compatibility. IRPMon can be run on 64-bit versions of WIndows. Since the monitoring is not implemented as inline hooks, IRPMon may be complatible with Patchguard. All depends on what drivers are the user trying to monitor. The program modifies driver’s IRP dispatch table, fast I/O dispatch table, AddDevice and DriverUnload routines (depending on the are of interest). So, it may work well with drivers that are not watched too closely by the system.
  • More event types. Apart from IRPs and their completion, IRPMon can also monitor fast I/O, driver unload, its StartIo routine and calls to the AddDevice one.
  • Monitoring non-existent PnP drivers. If the user is interested in monitoring activities of PnP drivers that are not currently present in the system (because there are no devices for them to maintain), IrpTracker does not offer any help. IRPMon, however, can be installed as a filter driver for any device setup class, so it gets notified when other parts of the device stack appears (bus, function and filter drivers). IRPMon actually does not write itself to the registry, it rather emulates contents of necessary values, so nothing really bad should happen when it BSODs (no non-existent filters are physicaly present in the registry, wint exception of Windows Xp that does not support registry content emulation). Not all drivers and devices in the new device stack are monitored, that happen only to drivers with name matching exactly the given string.
  • Driver unloading is possible. The IRPMon driver can be unloaded dynamically. Of course, such an approach is not entirely safe, howerver, there are some extra measures were applied to make the dynamic unload more stabile (all drivers are unhooked, the unload finishes only when no monitored IRP completion is pending).

The latest version of the application may be found on its GitHub pages. All executable binaries (the driver, the DLL, the GUI application) are digitally signed by a standard code signing certificate. Since I do not have access to an EV one, the files did not go through the attestation signing process, so IRPMon may fail to load on freshly installed post-Anniversary versions of WIndows 10 booted with Secure Boot.

In the release ZIP file, there is also a documentation in the compiled HTML (CHM) format. At the time of writing this post, the documentation is not perfect and does not cover some possiblilites available in the GUI application (IRPMon.exe). I hope that this will be resolved in future releases of the tool.

Leave a Reply

Your email address will not be published. Required fields are marked *