Possible Duplicate:
How does a Windows antivirus hook into the file access process?
Antivirus software often offers "Realtime" protection by (presumably) intercepting calls to the file system, scanning the target file and then allowing the call to complete. From observed behavior, I'd guess this happens whenever an application attempts to open a file handle to read (at least opening a 5 gig file with Sophos installed = instant coffee break)
How exactly is this implemented? Do they actually use drivers which abstract the file system or is it simply a case of calling an API (which method(s)?) to get yourself injected into the chain?
Is there any standard way to detect which apps are hooking in like this?
I've tagged .Net as that's my framework of choice but I suspect P/Invoke will be required so although a .Net example would be ideal, a straight API reference is almost as good.
