If I have a fully intact IRP and I am viewing it in a program such as IRP Monitor, how can I tell which function(s) this IRP is associated with, such as IRP_MJ_READ or IRP_MJ_WRITE?
IRP by itself not "associated" with any function. every IRP have at least one I/O Stack Locations - and at begin of IO_STACK_LOCATION structure you can view
UCHAR MajorFunction;
UCHAR MinorFunction;
MajorFunction
The IRP major function code indicating the type of I/O operation to be performed.
exactly here values IRP_MJ_XXX. however complex IRP have multiple stack locations and different locations can have different MajorFunction. say IRP which set to filesystem or disk driver initially (in top stacks) have IRP_MJ_WRITE (or read). but when disk driver send this irp down to port driver - already IRP_MJ_SCSI set in stack