May be two case:
1) app uses Icmpapi. (for example ping.exe). Then
/Device/ip get IRP_MJ_INTERNAL_DEVICE_CONTROL
or IRP_MJ_DEVICE_CONTROL
MinorFunction = 0
IOCTL = 0x120000
and parameter:
typedef struct __ICMP_ECHO_REQUEST {
unsigned long Address;
unsigned long Timeout;
unsigned short DataOffset;
unsigned short DataSize;
unsigned char OptionsValid;
unsigned char Ttl;
unsigned char Tos;
unsigned char Flags;
unsigned short OptionsOffset;
unsigned char OptionsSize;
unsigned char Padding;
} ICMP_ECHO_REQUEST, *PICMP_ECHO_REQUEST;
you should intercept such IRPs
2) app can use raw sockets. In such case you should hijack raw traffic.