BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Kernel

driverip

Walks IRP major function pointers

Usage

Driver IRP points outside legit driver range
→ Hooking likely.
etc

Commands

# List driver IRP hooks (Vol2)  
vol.py -f <mem> --profile=<profile> driverirp  
  
# List driver IRP hooks (Vol3)  
python3 vol.py -f <mem> windows.driverirp