The goal of the tool is to monitor requests received by selected device objects or kernel drivers. The tool is quite similar to IrpTracker but has several enhancements. It supports 64-bit versions of Windows (no inline hooks are used, only moodifications to driver object structures are performed) and monitors IRP, FastIo, AddDevice, DriverUnload and StartIo requests.
License: MIT License
Well, it is fine that IRPMon starts being capable of logging (and displaying) data associated with some requests (true for IRPs as of now), however, there should be a possibility to create plugins that interpret these data.
For example, there should be a plugin that parses the data for structures such as
The purpose of this issue is to create a general API for that kind of plugins, so their writting would be a piece of cake.
Also, it would be good to use the plugins also for parsing the Parameters part of IRP stack locations.
At least as part of the data associated with the request.
The header should contain
Currently, the FileName member of the FILE_OBJECT structure is used. However, this member is usually not valid (although its contents seems so) for related file objects. Let's resort to ObQueryNameString for example.
Hello, and first of all thanks for the helpful tool.
I'm currently investigating a software which contains communication between two drivers and so far I can see the request, but it seems that displaying the actual buffer content is not possible?
Also, on a side note, could you please tell me where you got the certificate for signing the driver and for what price? In case I'll have to modify IRPMon for my investigation needs :-)
Many thanks in advance!
Monitoring fast I/O operations on device stack where multiple drivers utilizes this type of communication can produce unpredictable results and make the system very unhappy (even BSOD). So, it would be best not to monitor fast I/O in such stacks until I fix it somehow.
Field values will be copied from the matching IRP request. This update allows to better filter out requests the user is not interested in.
IRPMon is able to automatically detect arrival of PnP drivers for specified device setup classes. The driver installs as a lower/upper filter for specified classes, it gets notified when a device belonging to any of the classes arrives. However, the code handling the filter uninstallation has a bug that corrupts the LowerFilters/UpperFilters registry value when the driver is installed as a first filter in a row.
Currently, copy-and-delete approach is required which is quite tedious an uncomfortaqble.
hi,
unfortunately even after i chose capture event IRPMon cant show the irp request and the display always white.... what should i do? and when i test the irpmonconsole --intall it shows an ERROR StartService():183
I appreciate your prompt reply
with best regards
The logged data should be interpreted by the IRPMon GUI application. Also, there should be something like a threshold in order not to waste all available memory by logging large read/write requests.
Can't install through Admin Command-Line.
So we can also log file system activity via this nice tool.
At hook-handlers.c:1259, there should by some brackets to make the operator precedence right. Otherwise, a BSOD occurs if the deviceRecord variable is NULL. That happens if not all devices of a driver are known to IRPMon and a request targetted to one of the unknowns arrives.
It would be very helpful if I could set up a monitoring configuration and save it so that on the next boot the filter driver would load against all monitored drivers early on in the boot process. This would enable monitoring at boot time using the kernel debugger.
Trying to use the IRPMon.exe executable in Windows 10 and am getting a 1275 error.
"Failed to start the IRPMon driver
Error code: 1275
Error message: This driver has been blocked from loading"
Also get this box:
" A digitally signed driver is required: irpmndrv.sys
Windows blocked the installation of a digitally unsigned driver. Uninstall the program or device that uses the driver and check the publisher's website for a digitally signed version of the driver."
Do machines normally apply resistance to this application?
When user adds a new column via the menu, all columns shrink to very narrow state. This is very annoying when manipulating with columns.
According to one report, the project won't compile on MSVS 2015 (or, tons of warnings are generated, at least). This should be resloved.
The limits may be specified in maximum request count or in the bytes occupied by the requests. Let's choose the better one.
Is there any way to get a signed version of the irpmon driver? I cannot load this driver no matter what. I've tried both going into gpedit.msc and changing the driver install policy to IGNORE and I've also went into the boot screen with F8 on my Windows 7 and chosen the option to allow the installation of unsigned drivers. Strangely, when I launch IRPMon even after both of those things are done, it works for a few seconds then I get a dialog from Windows saying the driver is not signed and has been blocked. :(
From a Windows Admin prompt:
C:\cygwin64\home\dan\IRPMon\binaries>irpmonconsole.exe --uninstall
SUCCESS
C:\cygwin64\home\dan\IRPMon\binaries>irpmonconsole.exe --install
ERROR StartService(): 577
C:\cygwin64\home\dan\IRPMon\binaries>irpmonconsole.exe
ERROR: Failed to initialize the irpmndrv.dll library: 2
hmmmm?
The correct behavior would be to test for the first matching filter (inclusion or exclusion) and use secondary (and later) matches to change the higlight color only.
Hello,
Thanks for sharing your project.
While building your code from commit 0d82265 static analyser I use picked up several potential issues. So I decided to report them.
Release/x64
irpmonconsole/main.cpp
A different number of actual arguments is expected while calling 'printf' function. Expected: 2. Present: 3. main.cpp 770
printf("ERROR: Unable to unhook the 0x%p driver\n", *it, err);
kmshared/utils.c _GetDriversInDirectory
The 'TmpDriverArray' pointer was utilized before it was verified against nullptr. Check lines: 243, 245. utils.c 243
RtlCopyMemory(Tmp, TmpDriverArray, TmpDriverCount * sizeof(PDRIVER_OBJECT));
where TmpDriverArray declared as
PDRIVER_OBJECT *TmpDriverArray = NULL;
and never assigned before use in IF branch.
kmshared/utils.c _GetLowerUpperDevices
same issue as above
kmshared/utils.c _GetDeviceAddress
Status variable assigned twice successively. Perhaps it is a mistake.
libregman/key-reg.c KeyRecordOnQuery
The 'keyInfo' pointer was utilized before it was verified against nullptr. Check lines: 621, 628. key-record.c 621
This one is tricky, I'm not sure if this can occur because it need more conditions.
keyInfo can be NULL if status >= 0 and Info->Length == 0 plus following ZwQueryKey fail with appreciate status code. Perhaps you could move keyInfo null validation code out of IF statement at line 578.
libtranslate/libtranslate-hash.table.c
HashTableLockShared & HashTableLockExclusive identical routines with different names
HashTableUnlockShared & HashTableUnlockExclusive identical routines with different names
This happens for columns of integer type, such as Major function. Natively string columns, or columns with integer values directly displayed to the user, are not affected.
The term Quick Filtering refers to the popup menu of the request list view.
The DLL in question is invoked on each request and decides whether to include, exclude or higlight it.
The advantage is that this can also be done in kernelmode (probably later).
When a driver is unhooked without unhooking its device objects first, a BSOD may occur when stopping the irpmndrv service.
The README.md file says, "If you cannot or do not want to compile the project yourself, use the binaries in the binaries." However, there isn't any binaries folder, nor do I see any precompiled binaries in this repository.
The launcher seems not to work in some cases (an access denied error). Also, we install IRPMon for all users.
Hey @MartinDrab,
Just wondering what the best option is for getting the driver either signed, or loaded on a Windows 10 install.
I've attempted to turn off the signing checks and enforcement with no luck. I've also attempted to create my own cert for the driver however, am finding that i can't create a .cat file from a .inf because there isn't one!
Any guidance would be appreciated!
You know how it is, file names in the pre-create path are a little bit tricky and might not correspond to those appearing from post-create onwards.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
