-
Notifications
You must be signed in to change notification settings - Fork 96
Command Line Interface
Accessing IRPMon functionality through the GUI IRPMon.exe
application is nice for those who like the manual approach, or are just used to programs like Process Monitor from SysInternals. Others may take advantage of the command-line interface implemented as the irpmonc.exe
console application. Its functionality matches the GUI application with exception of request filters; they are simply not present.
More precisely, the console application is capable of the following tasks:
- hooking and unhooking drivers and devices,
- registering and unregistering driver name watches,
- reading and modifying global driver settings,
- retrieving requests (from the driver or a file) and sending them to other places (standard output or a file) in different formats (binary, text or JSON).
The input is a place from where the application can retrieve requests in order to process them further. This can be a control device of the IRPMon driver (usually named \\.\IRPMon
), an IP address and port where the IRPMon server service listents, or a binary log file generated previously. In the first two cases, it is also possible to hook or unhook drivers and devices, register or unregister driver name watches etc. If the file is specified, irpmonc
just reads requests stored there and processes them.
Exactly one input must be specified. To do that, use the --input
argument in one of the following ways:
-
--input=D:\\.\IRPMon
connects to the IRPMon driver running on the local machine. -
--input=N:IP:port
attempts to connect to an instance of the IRPMon server listening atIP:port
. Both IPv4 and IPv6 are protocols supported. -
--input=L:C:\log\irpmon.log
opens a log fileC:\log\irpmon.log
.
irpmonc
is capable of writting processed requests into multiple areas, called outputs
, at the same time. Use the --output
argument repeatedly to define all outputs. The syntax is
--output=B:<filename>
--output=J:<filename>
--output=T:<filename>
The output format is determined by the letter before the colon:
-
B
stands for the IRPMon binary request format. Such a file can later be specified either as an input to anotherirpmonc
instance, or can be opened in the IRPMon graphics application. No other format can do that. -
T
is a simple text format where each line contains one name-value pair. This format is easily readable by human users, however, is hardly useful for anything also. -
J
instructsirpmonc
to output each request as a JSON object. One request is printed per line. This format is expected to be useful in some automatic post-processing.
To output to the standard output, specify -
as file name.
- IRPMonDllClassWatchEnum
- IRPMonDllClassWatchEnumFree
- IRPMonDllClassWatchRegister
- IRPMonDllClassWatchUnregister
- IRPMonDllCloseHookedDeviceHandle
- IRPMonDllCloseHookedDriverHandle
- IRPMonDllConnect
- IRPMonDllDisconnect
- IRPMonDllDriverHooksEnumerate
- IRPMonDllDriverHooksFree
- IRPMonDllDriverNameWatchEnum
- IRPMonDllDriverNameWatchEnumFree
- IRPMonDllDriverNameWatchRegister
- IRPMonDllDriverNameWatchUnregister
- IRPMonDllDriverSetInfo
- IRPMonDllDriverStartMonitoring
- IRPMonDllDriverStopMonitoring
- IRPMonDllEmulateDriverDevices
- IRPMonDllEmulateProcesses
- IRPMonDllFinalize
- IRPMonDllGetRequest
- IRPMonDllHookDeviceByAddress
- IRPMonDllHookDeviceByName
- IRPMonDllHookDriver
- IRPMonDllHookedDeviceGetInfo
- IRPMonDllHookedDeviceSetInfo
- IRPMonDllHookedDriverGetInfo
- IRPMonDllInitialize
- IRPMonDllInitialized
- IRPMonDllOpenHookedDevice
- IRPMonDllOpenHookedDriver
- IRPMonDllQueueClear
- IRPMonDllSettingsQuery
- IRPMonDllSettingsSet
- IRPMonDllSnapshotFree
- IRPMonDllSnapshotRetrieve
- IRPMonDllUnhookDevice
- IRPMonDllUnhookDriver
- CLASS_WATCH_RECORD
- DRIVER_MONITOR_SETTINGS
- DRIVER_NAME_WATCH_RECORD
- EFastIoOperationType
- EIRPMonConnectorType
- ERequestHeaderFlags
- ERequestResultType
- ERequestType
- HOOKED_DEVICE_INFO
- HOOKED_DEVICE_UMINFO
- HOOKED_DRIVER_INFO
- HOOKED_DRIVER_UMINFO
- HOOKED_OBJECTS_INFO
- IRPMNDRV_SETTINGS
- IRPMON_DEVICE_INFO
- IRPMON_DEVICE_INIT_INFO
- IRPMON_DRIVER_INFO
- IRPMON_INIT_INFO
- IRPMON_INIT_INFO_DATA
- IRPMON_NETWORK_INIT_INFO
- PCLASS_WATCH_RECORD
- PDRIVER_MONITOR_SETTINGS
- PDRIVER_NAME_WATCH_RECORD
- PEFastIoOperationType
- PEIRPMonConnectorType
- PERequestHeaderFlags
- PERequestResultType
- PERequestType
- PHOOKED_DEVICE_INFO
- PHOOKED_DEVICE_UMINFO
- PHOOKED_DRIVER_INFO
- PHOOKED_DRIVER_UMINFO
- PHOOKED_OBJECTS_INFO
- PIRPMNDRV_SETTINGS
- PIRPMON_DEVICE_INFO
- PIRPMON_DEVICE_INIT_INFO
- PIRPMON_DRIVER_INFO
- PIRPMON_INIT_INFO
- PIRPMON_INIT_INFO_DATA
- PIRPMON_NETWORK_INIT_INFO
- PREQUEST_ADDDEVICE
- PREQUEST_FASTIO
- PREQUEST_HEADER
- PREQUEST_IRP
- PREQUEST_STARTIO
- PREQUEST_UNLOAD
- REQUEST_ADDDEVICE
- REQUEST_FASTIO
- REQUEST_HEADER
- REQUEST_IRP
- REQUEST_STARTIO
- REQUEST_UNLOAD
- _CLASS_WATCH_RECORD
- _DRIVER_MONITOR_SETTINGS
- _DRIVER_NAME_WATCH_RECORD
- _EFastIoOperationType
- _EIRPMonConnectorType
- _ERequestHeaderFlags
- _ERequestResultType
- _ERequestType
- _HOOKED_DEVICE_INFO
- _HOOKED_DEVICE_UMINFO
- _HOOKED_DRIVER_INFO
- _HOOKED_DRIVER_UMINFO
- _HOOKED_OBJECTS_INFO
- _IRPMNDRV_SETTINGS
- _IRPMON_DEVICE_INFO
- _IRPMON_DEVICE_INIT_INFO
- _IRPMON_DRIVER_INFO
- _IRPMON_INIT_INFO
- _IRPMON_INIT_INFO_DATA
- _IRPMON_NETWORK_INIT_INFO
- _REQUEST_ADDDEVICE
- _REQUEST_FASTIO
- _REQUEST_HEADER
- _REQUEST_IRP
- _REQUEST_STARTIO
- _REQUEST_UNLOAD