Getting Started

How to use

You need to install Visual Studio and Windows Driver Kit. Once you have completed building an driver development environment, open ircap/hook.h for editing.

1// ircap/hook.h
2#pragma once
3
4UNICODE_STRING TARGET_DEVICE_NAME = RTL_CONSTANT_STRING(L"\\Driver\\@@DEVICE_NAME@@");
5UNICODE_STRING PROGRAM_FILE_PATH  = RTL_CONSTANT_STRING(L"\\DosDevices\\C:\\program.irp");

Specfiy TARGET_DEVICE_NAME to the device name you want to hook. And PROGRAM_FILE_PATH is the file path where captured IRP requests are stored.

To capture IRP requests to target driver, follow these steps (Run cmd as administrator):

1. Register a ircap.sys as a boot service.

1sc.exe create ircap binpath=ircap.sys type=kernel start=boot

2. Reboot your computer

1reboot

3. Run the application that loads the target driver.
4. After running many operatons by clicking the application, unload ircap.sys manually.
5. Then, captured IRP requests is stored in C:\program.irp
   
   

Caution!
When the capturing finished, you should remove the service.
sc.exe delete ircap