Tools sending IRP directly to NTFS, skipping filter manager and minifilters

I've seen a couple of tools that skips minifilters/filter manager and directly send I/O request packet to base file system (NTFS). These tools create their own IRP set major function as IRP_MJ_SET_INFORAMATION, set information class as FileDispositionInformation and get device object using IoGetBaseFileSystemDeviceObject for a file object associated with a file to be deleted. Then, they trigger IoCallDriver to pass IRP directly to NTFS skipping minifilters/filter manager

Before they create IRP, they also closes all the handles associated with the file they are trying to delete.

In this way they completely skip filter manager and any minifilters that are trying to prevent files from getting deleted. Is there any way that I can prevent this type of activity done by these tools. These tools are exclusively used to perform BYOVD/BYOM attacks.

I've tried class disk driver and they won't help as they sit much more below file system. They won't even receive IRP as NTFS has already marked the space as reusable in MFT.

In the past this was done by replacing the pointer to a corresponding dispatch function in DRIVER_OBJECT's MajorFunction array, as this memory was not write protected and IoCallDriver invoked a routine from this array. But, I think MS added a consistency check for some critical DRIVER_OBJECTs and BugChecked the system if MajorFunction array was modified.

I think IoCallDriver calls a real function (like IopfCallDriver) by a pointer saved in a global variable, this is used by DriverVerifier to replace IoCallDriver. You can disassemble IoCallDriver in your driver and find where the address of a real function is kept and replace it, if it is not write protected and is not checked for system integrity.

Thanks Slava for this information. I'll work on this. I've found a post for me to move forward.
PatchGuard and DRIVER_OBJECT MajorFunction Table - #12 by OSR_Community_User