Function_IRPMonDllHookDriver - MartinDrab/IRPMon GitHub Wiki
IRPMonDllHookDriver function
Summary
Given name of its object, the routine hooks a driver in order to monitor requests serviced by its devices.
Definition
void cdecl IRPMonDllHookDriver(
System.Char* DriverName,
_DRIVER_MONITOR_SETTINGS* MonitorSettings,
System.Byte DeviceExtensionHook,
System.Void** DriverHandle,
System.Void** ObjectId
);
Parameters
DriverName
Name of the driver object to hook.The name usually starts with the "\Driver" or "\FileSystem" prefix.
MonitorSettings
Defines types of events being monitored on the given driver object and its devices.
DeviceExtensionHook
Determines whether the IRPMon takes advantage of IRP hooks(FALSE) or device extension based hooks(TRUE).
DriverHandle
Address of variable that receives a handle representing the hooked driver.
ObjectId
Address of variable that receives globally unique ID of the hooked driver object.
This parameter is optional and can be NULL.
Return Value
| Value | Description |
|---|---|
| ERROR_SUCCESS | The hook operation has succeeded.The hook handle is stored in the Driverhandle parameter. |
| Other | An error occurred. |
Remarks
This routine instructs the IRPMon driver to prepare to monitor a given driver.The monitoring itself, however, must be activated by a call to the IRPMonDllDriverStartMonitoring routine.The IRPMon driver just remembers which requests will be monitored for the given driver and saves also a list of its devices in order to be able to distinguish them from new ones(devices created after the IRPMonDllHookDriver returns).
Driver names accepted by this function can be obtained from a list of drivers present in the system, returned by the IRPMonDllSnapshotRetrieve function.
See also
Requirements
| Header | irpmondll.h |
| Library | irpmondll.lib |
| DLL | irpmondll.dll |