Win32-IoctlMonitor is a graphical user interface (GUI) tool for Windows (x64) that allows developers and reverse engineers to monitor DeviceIoControl (IOCTL) calls made by application in real-time. It hooks the DeviceIoControl API function in the target process to capture and display detailed information about each call.

Win32-IoctlMonitor is a DLL that needs to be injected into the target process whose IOCTL calls you want to monitor.

1. Obtain a DLL Injector: Use any standard DLL injection tool (e.g., Process Hacker, Xenos, your own custom injector).
2. Inject IoctlMonitor_x64.dll: Inject the compiled DLL into the target x64 process.
3. Monitor Window: Upon successful injection, the IOCTL Monitor window should appear, and it will begin capturing and displaying IOCTL calls made by that process.

• Real-time IOCTL Monitoring: Captures IOCTL calls as they happen.
• Detailed Information Display:
  • IOCTL Code (with decoded Device Type, Function Code, Transfer Method, Access).
  • Calling Process ID (PID) and Thread ID (TID).
  • Timestamp of the call.
  • Input and Output buffer sizes.
  • Bytes returned by the IOCTL call.
  • GetLastError() code after the IOCTL call.
  • Device Handle.
• Data Views:
  • Hexadecimal view of input and output buffers with ASCII representation.
  • Plain ASCII view of buffer data.
  • Plain Unicode (UTF-16) view of buffer data.
• Filtering: Filter displayed IOCTLs by their specific IOCTL code.
• Buffer Display Toggle: Easily switch between viewing the input buffer or the output buffer in the data views.
• Log Management:
  • Clear all captured records.
  • Save captured records (including buffer data) to a detailed text log file.
• Clipboard Support: Copy details of a selected IOCTL record to the clipboard.
• Hook Code Generation: Generate boilerplate C++ hook code for a selected IOCTL, providing a starting point for custom analysis or modification.