A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #30663  by Vrtule
 Mon Jul 31, 2017 8:37 pm

IRPMon is a tool capable of monitoring communication between drivers and applications and possibly between drivers themselves. The application is very similar to the IrpTracker utility and I created it because I needed some extra features. Well, it proved to be a day-saver several times already. Maybe, some of you find it useful too.

So, what extra features IRPMon offers:

* 64-bit compatibility. IRPMon can be run on 64-bit versions of WIndows. Since the monitoring is not implemented as inline hooks, IRPMon may be complatible with Patchguard. All depends on what drivers are you trying to monitor. The program modifies driver's IRP dispatch table, fast I/O dispatch table, AddDevice and DriverUnload routine (depending on what you wish to monitor). So, it may work well with drivers that are not watched too closely by the system.

* More event types. Apart from IRPs and their completion, IRPMon can also monitor fast I/O, driver unload, its StartIo routine and calls to the AddDevice one.

* Monitoring non-existent drivers. If you are interested in monitoring activities of PnP drivers that are not currently present in the system (because there are no devices for them to serve), IrpTracker does not help you. IRPMon, however, can be installed as a filter driver for any device setup class, so it gets loaded when other parts of the device stack appears (bus, function and filter drivers). IRPMon actually does not write itself to the registry, it rather emulates contents of necessary values, so nothing really bad should happen when it BSODs (no non-existent filters are physicaly present in the registry). Not all drivers and devices in the new device stack are monitored, that happen only to drivers with name matching exactly the given string.

* Driver unloading is possible. The IRPMon driver can be unloaded dynamically. Of course, such an approach is not entirely safe, howerver, there are some extra measures were applied to make the dynamic unload more stabile (all drivers are unhooked, the unload finishes only when no monitored IRP completion is pending).

This is actually a beta release of the program. I did not signed the binaries yet, sicne I would like to do some extra testing. and improve the documentation a little bit. Howerver, the first release should be here in about 1-2 weeks. Recently, I have obtained a new KMCS certificate and I plan to sign the first releae binaries (including the driver).

The program should run on Windows XP-10. The registry contents emulation is available starting with Windows Vista (you can still watch for non-existent PnP drivers on XP but that changes the registry).

Link to the release (the package is also attached to this post):

The pre-release also contains a documentation in the CHM format. For those, who do not like documentations:
* To monitor certain drivers and devices, go to Action -> Select drivers / devices... and choose objects to monitor (this is very similar to IrpTracker). Use the right mouse button to select what types of operations you are interested in.
* To watch for non-existent PnP drivers, install IRPMon as a filter for some device setup classes (Action -> Watch class...) and specify names of driver objects that you actually wish to catch (Action -> Watch driver...).

All feedback is welcomed, even negative one.
IRPMon pre-release (0.6)
(2.5 MiB) Downloaded 29 times
 #30801  by Vrtule
 Wed Aug 30, 2017 6:16 pm
So, there is a version 0.8. Differences from 0.6 one are not very significant becuase only some bugs were fixed. The binaries are now signed (by a standard code signing certificate, they were not subjects of the attestation signing).

I plan to do more development in the GUI and documentation area and hope not to touch the driver too much :-). At least for some time.

As always, all types of feedback are highly appreciated and welcome.
IRPMon v0.8
(2.76 MiB) Downloaded 29 times
 #33016  by Vrtule
 Sat Jun 22, 2019 2:53 pm
Well, after a looong time, I decided to release version 0.9. This is a beta version but should be quite stable (I used it during some research and all went well).

The drivers are signed with my latest certificate which means that they should load correctly unless you have a Secure Boot enabled. Unfortunately, I still do not have a business name (or its equivalent in Czech Republic), so no EV certificate is currently available for me.

Since this is kind of a beta release, I did not update documentation yet. I actually plan to move it to Github Wiki from that CHM format.

You may download the release either from here or from Github
https://github.com/MartinDrab/IRPMon/re ... /v0.9-beta

What's new (a little bit more details on Github):
* ability to log data associated with certain IRP requests (data written to disk, read from a file, data associated with PnP requests etc.),
* custom parsing of the associated data (hexadecimal view and security descriptor parser)
* ability to open/save logs in binary format,
* request filtering/highlighting similar to the Process Monitor,
* logging file names
(3.63 MiB) Downloaded 6 times
 #33105  by Vrtule
 Sun Jul 28, 2019 2:08 pm
It should be stable enough. It has some minor issue (no BSODs IIRC). I plan to release a new version in few days fixing these minor problems.