Currently I'm working on a scan-after-write functionality: Whenever a file was changed the virusscanner checks the file.
My plan is to hook in NtWriteFile() (dlls/ntdll/file.c), because whenever a windows program writes to a file this function is called.
why not scan-before-write?you have a hook into the write process, why not block the write if you have a hit?
