An Input/Output (I/O) Request Package (IRP) is a kind of data structure in the Windows kernel, and is associated with I/O. When an application at an upper layer communicates with a low-level driver layer, the application sends an I/O request. The operating system convers the I/O request into corresponding IRP data. The IRP data with different types are transmitted to different dispatch functions based on the type of the IPR data.
The IRP has two basic attributes. One is a major function (MajorFunction), which is configured to record a major type of the IRP, and associate the major function of the IRP with a dispatch function. The other is a minor function (MinorFunction), which is configured to record a subtype of the IRP. The operating system dispatches the IRPs to different dispatch functions according to the MajorFunction. In the dispatch function, it may continue to determine which MinorFunction the IRP belongs to. Functions related to the file I/O, such as a function of creating a file kernel object (CreateFile), a function of reading a file (ReadFile), and a function of writing a file (WriteFile), etc., can create IRPs with corresponding types, such as an IPR with a creating type (IRP_MJ_CREATE), an IPR with a reading type (IRP_MJ_READ), and an IPR with a writing type (IRP_MJ_WRITE), etc. These IRPs are transmitted to the dispatch functions at the driver layer. In this case, the CreateFile function is configured to create or open an object, and return a handle that may be used to access the object; the ReadFile function is configured to read out data to a file from a position where a file pointer points to, and supports both synchronization and asynchronization; the WriteFile function is configured to write data to a file.
In the operating system, if an application wants to open the driver layer, the IRP_MJ_CREATE may be sent to the driver layer firstly, and the driver layer may return a handle after a dispatch function performs appropriate processing. In this case, the handle is an integer value, and is used to identify different objects of the application in the application layer, and to identify different instants in similar objects of the application, such as a window, a button, an icon, a scroll bar, an output device, a control, or a file, and so forth. The application layer can access the corresponding driver layer through the handle.
However, if a third-party application views the handle through a tool, and open the driver layer through the handle, the third-party application can send to the driver layer an I/O control function (IOCTL) which manages I/O channels in the device driver layer, so as to directly control the driver layer. If the third-party application is a malicious software, a computer of a user can be vandalized by the third-party application.