Implementing Filter Hook IOCTLs
A filter-hook driver implements an IRP_MJ_DEVICE_CONTROL dispatch routine so applications or higher-level drivers can send I/O control (IOCTL) requests down to the filter-hook driver to set up the filter hook. This dispatch routine processes these IOCTLs. The DriverEntryroutine must export this dispatch routine.
Driver writers should define and publish information about these IOCTLs and what type of processing the filter hook performs. Applications or higher-level drivers can then use the published IOCTLs to set up the filter hook.
To retrieve an IOCTL request, a filter-hook driver's IRP_MJ_DEVICE_CONTROL dispatch routine must call the IoGetCurrentIrpStackLocationfunction. In this call, the dispatch routine passes a pointer to the IRP that it received. The dispatch routine then determines which IOCTL request was received and processes the request accordingly.
After the current IOCTL request completes, the IRP_MJ_DEVICE_CONTROL dispatch routine calls the IoCompleteRequestfunction and passes the status of the operation. This status is returned to the application or higher-level driver that made the request.
The following are typical IOCTLs that a filter-hook driver's device-control routine might process:
Register-Hook IOCTL
Registers a filter hookClear-Hook IOCTL
Clears the previously registered filter hook