IRPMon: An improved version of IrpTracker

Forum for announcements and questions about tools and software.
Post Reply
User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

IRPMon: An improved version of IrpTracker

Post by Vrtule » Mon Jul 31, 2017 8:37 pm

Hello,

IRPMon is a tool capable of monitoring communication between drivers and applications and possibly between drivers themselves. The application is very similar to the IrpTracker utility and I created it because I needed some extra features. Well, it proved to be a day-saver several times already. Maybe, some of you find it useful too.

So, what extra features IRPMon offers:

* 64-bit compatibility. IRPMon can be run on 64-bit versions of WIndows. Since the monitoring is not implemented as inline hooks, IRPMon may be complatible with Patchguard. All depends on what drivers are you trying to monitor. The program modifies driver's IRP dispatch table, fast I/O dispatch table, AddDevice and DriverUnload routine (depending on what you wish to monitor). So, it may work well with drivers that are not watched too closely by the system.

* More event types. Apart from IRPs and their completion, IRPMon can also monitor fast I/O, driver unload, its StartIo routine and calls to the AddDevice one.

* Monitoring non-existent drivers. If you are interested in monitoring activities of PnP drivers that are not currently present in the system (because there are no devices for them to serve), IrpTracker does not help you. IRPMon, however, can be installed as a filter driver for any device setup class, so it gets loaded when other parts of the device stack appears (bus, function and filter drivers). IRPMon actually does not write itself to the registry, it rather emulates contents of necessary values, so nothing really bad should happen when it BSODs (no non-existent filters are physicaly present in the registry). Not all drivers and devices in the new device stack are monitored, that happen only to drivers with name matching exactly the given string.

* Driver unloading is possible. The IRPMon driver can be unloaded dynamically. Of course, such an approach is not entirely safe, howerver, there are some extra measures were applied to make the dynamic unload more stabile (all drivers are unhooked, the unload finishes only when no monitored IRP completion is pending).

This is actually a beta release of the program. I did not signed the binaries yet, sicne I would like to do some extra testing. and improve the documentation a little bit. Howerver, the first release should be here in about 1-2 weeks. Recently, I have obtained a new KMCS certificate and I plan to sign the first releae binaries (including the driver).

The program should run on Windows XP-10. The registry contents emulation is available starting with Windows Vista (you can still watch for non-existent PnP drivers on XP but that changes the registry).

Link to the release (the package is also attached to this post):
https://github.com/MartinDrab/IRPMon/releases/tag/0.6

The pre-release also contains a documentation in the CHM format. For those, who do not like documentations:
* To monitor certain drivers and devices, go to Action -> Select drivers / devices... and choose objects to monitor (this is very similar to IrpTracker). Use the right mouse button to select what types of operations you are interested in.
* To watch for non-existent PnP drivers, install IRPMon as a filter for some device setup classes (Action -> Watch class...) and specify names of driver objects that you actually wish to catch (Action -> Watch driver...).

All feedback is welcomed, even negative one.
You do not have the required permissions to view the files attached to this post.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: IRPMon: An improved version of IrpTracker

Post by Brock » Sat Aug 05, 2017 8:03 pm

What a great tool, VrTule. Thank you for releasing it! I like it a lot
Accept nothing less than STATUS_SUCCESS

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: IRPMon: An improved version of IrpTracker

Post by Vrtule » Wed Aug 30, 2017 6:16 pm

So, there is a version 0.8. Differences from 0.6 one are not very significant becuase only some bugs were fixed. The binaries are now signed (by a standard code signing certificate, they were not subjects of the attestation signing).

I plan to do more development in the GUI and documentation area and hope not to touch the driver too much :-). At least for some time.

As always, all types of feedback are highly appreciated and welcome.
You do not have the required permissions to view the files attached to this post.

Post Reply