CLOSE
Updated on 27 Jul, 202510 mins read 14 views

What is an IRP?

An IRP (I/O Request Packet) is a kernel-mode data structure used by the I/O Manager in Windows to represent and track I/O operations such as file reads, writes, device commands, and more.

Every time a user-mode or kernel mode component initiates an I/O request (e.g. ReadFile, WriteFile, DeviceIoControl), the OS creates an IRP and sends it down the driver stack associated with the target device or file system.

IRPs are central to Windows driver communication – especially for filter drivers, which exist to observe, modify, or block IRPs.

Structure of an IRP

An IRP is defined in the kernel by the _IRP structure (in wdm.h) and contains:

General Fields are as follows:

  • Type, Size: Used internally by the kernel
  • IoStatus: Holds the final status and information returned to the caller
  • RequestorMode: Indicates if the request originated in user or kernel mode
  • UserBuffer: Pointer to user-mode buffer, if applicable

Stack Locations (IO_STACK_LOCATION)

An IRP is composed of a stack IO_STACK_LOCATION structures – one per driver in the device stack.

Each driver accesses its own stack location, retrieved using:

PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);

Each stack location contains:

  • MajorFunction: e.g., IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL
  • MinorFunction: Context-dependent sub-function
  • Parameters: Unions of fields specific to the operation (e.g., Read.Length, Create.SecurityContext)
  • FileObject: File handle used for this I/O
  • DeviceObject: Target device

IRP Lifecycle: From User to Kernel and Back

Here' s simplified flow of how an IRP is processed:

  1. User Mode Call
    1. e.g., WriteFile(hFile, buffer, size, …)
    2. The I/O manager creates an IRP to describe this request.
  2. IRP Initialization
    1. OS sets up IRP header and stack locations for each driver in the stack.
    2. Passes IRP to the topmost driver in the stack.
  3. Driver Processing
    1. Each driver receives the IRP through a dispatch routine like DispatchRead, DispatchWrite, etc.
    2. The driver can:
      1. Process it
      2. Modify it
      3. Pass it down using IoCallDriver
      4. Complete it using IoCompleteRequest
  4. Completion
    1. When the IRP is completed, the I/O Manager collects the result and returns it to the caller.

Major IRP Function Codes (IRP_MJ_XXX)

Function CodeDescriptionUsed In
IRP_MJ_CREATEOpen file/deviceFile system, device drivers
IRP_MJ_READRead from file/deviceStorage, USB, sensors
IRP_MJ_WRITEWrite to file/deviceStorage, network
IRP_MJ_CLOSEClose file handleFile systems, filters
IRP_MJ_DEVICE_CONTROLSend custom commands (IOCTLs)Drivers with control logic
IRP_MJ_SET_INFORMATIONRename/delete fileFile system filters
IRP_MJ_CLEANUPHandle cleanup (flush buffers, etc.)File systems, filters

Filter drivers typically intercept:

  • IRP_MJ_CREATE: to block/monitor file access
  • IRP_MJ_WRITE: to detect data exfiltration
  • IRP_MJ_DEVICE_CONTROL: to inspect control commands
  • IRP_MJ_SET_INFORMATION: to block renames or deletes

IRP Handling in Filter Drivers

 

Leave a comment

Your email address will not be published. Required fields are marked *