Q: netbt.sys calls tcpip!TCPSendData directly. How can this be explained?
A: Yes, that’s true, tcpip.sys can be requested for the pointer to the internal routine tcpip!TCPSendData. You can see the processing of the particular request (IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER) in reversed engineered code of tcpip!TCPDispatch. This interface improves performance of kernel-mode tcpip.sys clients.
The solution is interception of IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER, saving the TCPSendData pointer and modification of the returned pointer to your own routine. So you can track all calls to TCPSendData.