Interrupt Request Packets (IRPs) are essentially just an instruction for the driver. These packets allow the driver to act on the specific major function by providing the relevant information required by the function. There are many major function codes but the most common ones are IRP_MJ_CREATE, IRP_MJ_CLOSE, and IRP_MJ_DEVICE_CONTROL. These correlate with user mode functions:
IRP_MJ_CREATE→CreateFileIRP_MJ_CLOSE→CloseFileIRP_MJ_DEVICE_CONTROL→DeviceIoControl
Definitions in DriverEntry may look like this:
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreateCloseFunction;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyCreateCloseFunction;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDeviceControlFunction;When the following code in user mode is executed, the driver will receive an IRP with the major function code IRP_MJ_CREATE and will execute the MyCreateCloseFunction function:
hDevice = CreateFile(L"\\\\.\\MyDevice", GENERIC_WRITE|GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);The most important major function for us in almost all cases will be IRP_MJ_DEVICE_CONTROL
as it is used to send requests to perform a specific internal function from user mode. These requests include an IO Control Code which tells the driver exactly what to do, as well as a buffer to send data to and receive data from the driver.