Hey, can a minifilter intercept CreateFile operations that are not necessarily file operations , like CreateFile to open a device? If so, why is that when I’m trying to print the target device object of a request in a filter (I obtain it with IoGetRelatedDeviceObject) it is always the device of the fltmgr? Say a tool like netstat opens a handle to the NSI driver , can my minifilter intercept that?
No, minifilters only attach to file systems.