I've seen a couple of tools that skips minifilters/filter manager and directly send I/O request packet to base file system (NTFS). These tools create their own IRP set major function as IRP_MJ_SET_INFORAMATION, set information class as FileDispositionInformation and get device object using IoGetBaseFileSystemDeviceObject for a file object associated with a file to be deleted. Then, they trigger IoCallDriver to pass IRP directly to NTFS skipping minifilters/filter manager
Before they create IRP, they also closes all the handles associated with the file they are trying to delete.
In this way they completely skip filter manager and any minifilters that are trying to prevent files from getting deleted. Is there any way that I can prevent this type of activity done by these tools. These tools are exclusively used to perform BYOVD/BYOM attacks.
Unfortunately minifilters managed by FilterManager. FS attachments managed by Filter Manager therefore unable to intercept. Legacy Filters using "IoAttachDeviceToDeviceStack" can be placed on I/O stack below or above file system drivers then you can set major function as IRP_MJ_SET_INFORMATION and intercept it.
No, there's nothing you can do to intercept these. There's no legitimate reason for a driver to do this but once the driver is loaded it's "game over" from a Windows perspective.
I realize I wasn't very clear in my previous message, so let me clarify. When I said "intercept" I didn't mean that you can stop the malicious driver once it's already loaded; at that point, it's indeed too late and can bypass most protections. What I meant was that you setup a trap mechanism before the malicious driver is loaded such as by attaching early to the file system stack. Potentially stop or limit it.
IoGetBaseFileSystemDeviceObject always returns the file system device object, so it's not a matter of when/how you attach you'll be bypassed for the resulting I/O operation.
to achieve this, you may try something unusual
for example, you can intercept some IRP sent to NTFS by hooking the irp dispatch table of NTFS driver
the device stack nor the FilterManager doesn't help in your case