How does a Windows antivirus hook into the file access process?

Question

The subject says it all. A normal antivirus has to intercept all file accesses, scan the files and then optionally deny access to the file (possibly even displaying a prompt

Answer 1

You can read about the detours library from microsoft and try it for free - it allows you to write user mode hooks in c#. No need for you to learn about drivers :]

However - for kernel mode hooks - you will need to know c and play around with the DDK - atleast afaik :[

And most modern anti-virus software intercept quite a few calls - registry apis, thread and process apis etc - not just the file system api. Again - afaik.

edit: There are also a few open source rootkits - google them and see how they perform their hooking, it will be educational I guess.