24 Jul
2006
24 Jul
'06
8:40 p.m.
Currently I'm working on a scan-after-write functionality: Whenever a file was changed the virusscanner checks the file.
My plan is to hook in NtWriteFile() (dlls/ntdll/file.c), because whenever a windows program writes to a file this function is called. why not scan-before-write? you have a hook into the write process, why not block the write if you have a hit?