Win32-IoctlMonitor is a graphical user interface (GUI) tool for Windows (x64) that allows developers and reverse engineers to monitor DeviceIoControl
(IOCTL) calls made by application in real-time. It hooks the DeviceIoControl
API function in the target process to capture and display detailed information about each call.
Win32-IoctlMonitor
is a DLL that needs to be injected into the target process whose IOCTL calls you want to monitor.
- Obtain a DLL Injector: Use any standard DLL injection tool (e.g., Process Hacker, Xenos, your own custom injector).
- Inject
IoctlMonitor_x64.dll
: Inject the compiled DLL into the target x64 process. - Monitor Window: Upon successful injection, the IOCTL Monitor window should appear, and it will begin capturing and displaying IOCTL calls made by that process.
- Real-time IOCTL Monitoring: Captures IOCTL calls as they happen.
- Detailed Information Display:
- IOCTL Code (with decoded Device Type, Function Code, Transfer Method, Access).
- Calling Process ID (PID) and Thread ID (TID).
- Timestamp of the call.
- Input and Output buffer sizes.
- Bytes returned by the IOCTL call.
GetLastError()
code after the IOCTL call.- Device Handle.
- Data Views:
- Hexadecimal view of input and output buffers with ASCII representation.
- Plain ASCII view of buffer data.
- Plain Unicode (UTF-16) view of buffer data.
- Filtering: Filter displayed IOCTLs by their specific IOCTL code.
- Buffer Display Toggle: Easily switch between viewing the input buffer or the output buffer in the data views.
- Log Management:
- Clear all captured records.
- Save captured records (including buffer data) to a detailed text log file.
- Clipboard Support: Copy details of a selected IOCTL record to the clipboard.
- Hook Code Generation: Generate boilerplate C++ hook code for a selected IOCTL, providing a starting point for custom analysis or modification.