Determine the process that generated an IRP

kevin_campbell · October 4, 2006, 7:23pm

Hi all,

Sorry if there is an obvious answer to this question. I’m an application dev by trade (I know, boo). I am trying to add code to an existing WDM filter driver to determine the process that generated the IRP that is being filtered. FYI, the driver in question is usbsnoop.sys, which is part of the USBSnoopy package from sourceforge at http://sourceforge.net/projects/usbsnoop/

What I want to do is log the process that generated the USB IRP so that I can filter for IRPs from a specific process. This would make the tool vastly more usable in my opinion, more like filemon and regmon.

I’ve been reading up on the DDK and searching the web, but haven’t hit upon the right DDI yet. Can anyone point me in the right direction? Is this even possible?

Thanks,
Kevin

OSR_Community_User · October 4, 2006, 7:51pm

Try IoGetRequestorProcessId

----- Original Message -----
From: <kevin.campbell>
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 04, 2006 7:23 PM
Subject: [ntdev] Determine the process that generated an IRP

> Hi all,
>
> Sorry if there is an obvious answer to this question. I’m an application
> dev by trade (I know, boo). I am trying to add code to an existing WDM
> filter driver to determine the process that generated the IRP that is
> being filtered. FYI, the driver in question is usbsnoop.sys, which is
> part of the USBSnoopy package from sourceforge at
> http://sourceforge.net/projects/usbsnoop/
>
> What I want to do is log the process that generated the USB IRP so that I
> can filter for IRPs from a specific process. This would make the tool
> vastly more usable in my opinion, more like filemon and regmon.
>
> I’ve been reading up on the DDK and searching the web, but haven’t hit
> upon the right DDI yet. Can anyone point me in the right direction? Is
> this even possible?
>
> Thanks,
> Kevin
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</kevin.campbell>

Doron_Holan · October 4, 2006, 7:54pm

There are 2 DDIs that will help, both are in the IFS kit (which means you need to buy it or get the WDK which has the IFS kit in it already as is)

PEPROCESS
IoGetRequestorProcess(
__in PIRP Irp
);

ULONG
IoGetRequestorProcessId(
__in PIRP Irp
);

BUT, you have a bigger problem here. You are assuming that the PIRP sent to the usb core is the same PIRP that the USB function driver received from user mode. This is a false assumption. Many drivers allocate their own PIRPs to send to the usb core, so they will all appear to be processless or come from the system process. For instance, any URB i/o sent by the hid function driver or the usb mass storage driver are internally allocated and have no relation to any UM process.

D

kevin_campbell · October 4, 2006, 8:44pm

Alex and Doron, thanks for your help. This should prove interesting, even if it doesn’t end up working.