...

Currently I'm working on a scan-after-write functionality: Whenever a file was changed the virusscanner checks the file.

My plan is to hook in NtWriteFile() (dlls/ntdll/file.c), because whenever a windows program writes to a file this function is called. why not scan-before-write? you have a hook into the write process, why not block the write if you have a hit?