说明：  由于IRP开始于某个实体调用I/O管理器函数创建它,可以使用下面任何一种函数创建IRP: IoBuildAsynchronousFsdRequest 创建异步IRP(不需要等待其完成)。该函数和下一个函数仅适用于创建某些类型的IRP。 IoBuildSynchronousFsdRequest 创建同步IRP(需要等待其完成)。 IoBuildDeviceIoControlRequest 创建一个同步IRP_MJ_DEVICE_CONTROL或IRP_MJ_INTERNAL_DEVICE_CONTROL请求。 IoAllocateIrp 创建上面三个函数不支持的其它种类的IRP。 由此我们知道,第一种起点拦截的办法就清楚了,那就是HOOK这几个IRP的创建函数。
(IRP began as an entity called I/O Manager function to create it, you can use any of the following function to create IRP: IoBuildAsynchronousFsdRequest create an asynchronous IRP (without waiting for its completion.) The function and one function only for the next to create certain types of IRP. IoBuildSynchronousFsdRequest create a synchronous IRP (need to wait for its completion.) IoBuildDeviceIoControlRequest create a synchronization IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL requests. IoAllocateIrp create the above three functions are not supported by other types of IRP. From this we know, the first starting block approach to clear, and that is the creation of IRP HOOK these functions.)