Canadian Furious Beaver is a distributed tool for capturing IRPs sent to any Windows driver. It operates in 2 parts:
-
the "Broker" combines both a user-land agent and a self-extractable driver (
IrpMonitor.sys
) that will install itself on the targeted system. After installing the driver, the broker will expose a TCP port listening (by default, on TCP/1337) and start collecting IRP from hooked drivers. The communication protocol was made to be simple by design (i.e. not secure) allowing any 3rd party tool to dump the driver IRPs from the same Broker easily (via simple JSON messages). -
the clients can connect to the broker, and will receive IRPs as a JSON message making it easy to view, or convert to another format.
Because I had no idea for the name of this tool, so it was graciously generated by a script of mine.
processhacker
for theirphnt
header filesp-ranav
for theirargparse
librarynlohmann
for theirjson
library