Skip to content

Function_IRPMonDllHookDriver

Martin Drab edited this page Mar 17, 2020 · 3 revisions

IRPMonDllHookDriver function

Summary

Given name of its object, the routine hooks a driver in order to monitor requests serviced by its devices.

Definition

void cdecl IRPMonDllHookDriver(
    const long System.Char* DriverName,
    const long _DRIVER_MONITOR_SETTINGS* MonitorSettings,
    const long System.Byte DeviceExtensionHook,
    const long System.Void** DriverHandle,
    const long System.Void** ObjectId
   );

Parameters

DriverName

Name of the driver object to hook.The name usually starts with the "\Driver" or "\FileSystem" prefix.

MonitorSettings

Defines types of events being monitored on the given driver object and its devices.

DeviceExtensionHook

Determines whether the IRPMon takes advantage of IRP hooks(FALSE) or device extension based hooks(TRUE).

DriverHandle

Address of variable that receives a handle representing the hooked driver.

ObjectId

Address of variable that receives globally unique ID of the hooked driver object. This parameter is optional and can be NULL.

Return Value

| | Description ||---|---| | ERROR_SUCCESS | The hook operation has succeeded.The hook handle is stored in the Driverhandle parameter. | | Other | An error occurred. |

Remarks

This routine instructs the IRPMon driver to prepare to monitor a given driver.The monitoring itself, however, must be activated by a call to the IRPMonDllDriverStartMonitoring routine.The IRPMon driver just remembers which requests will be monitored for the given driver and saves also a list of its devices in order to be able to distinguish them from new ones(devices created after the IRPMonDllHookDriver returns).

Driver names accepted by this function can be obtained from a list of drivers present in the system, returned by the IRPMonDllSnapshotRetrieve function.

See also

General

For Users-Developers

Tutorial

Public API

Functions

Types

Clone this wiki locally