基本上类似Filter Driver. MarkRuss 这里有解释:http://www.microsoft.com/technet/sysinternals/utilities/portmon.mspx“When you select a port to monitor, Portmon sends a request to its device driver that includes the NT name (e.g. \device\serial0) that you are interested in. The driver uses standard filtering APIs to attach its own filter device object to the target device object. First, it uses ZwCreateFile to open the target device. Then it translates the handle it receives back from ZwCreateFile to a device object pointer. After creating its own filter device object that matches the characteristics of the target, the driver calls IoAttachDeviceByPointer to establish the filter. From that point on the Portmon driver will see all requests aimed at the target device. ”
sysinternal当时很多都是公开代码的