In the recent versions of windows (at least XP onwards) there is the concept 'filters' which can be viewed using MS Filter Manager, (fltmc.exe from a command prompt)

在 Windows 的最新版本（至少 XP 起）中，有一个概念“过滤器”，可以使用 MS 过滤器管理器查看（从命令提示符下的 fltmc.exe）

This provides a low level I/O hook that AV programs can access and automatically register to be passed all I/O requests to the file system. It is a kit you can get the drivers for an develop your own filters for.

这提供了一个低级 I/O 钩子，AV 程序可以访问它并自动注册以将所有 I/O 请求传递给文件系统。这是一个工具包，您可以获得驱动程序以开发您自己的过滤器。

http://www.microsoft.com/whdc/driver/filterdrv/default.mspxis a starting place to get in depth info.

http://www.microsoft.com/whdc/driver/filterdrv/default.mspx是获取深入信息的起点。

As you already noted, hooking is a key to what of-the-shelf AV software with "realtime" protection does.

正如您已经指出的，挂钩是具有“实时”保护功能的现成 AV 软件的关键。

You could have a look on the (widely discussed) winpooch, which already does API Hooking, but there are some major flaws in this software. Sourceforge of Winpooch

你可以看看（广泛讨论的）winpooch，它已经做了 API Hooking，但是这个软件有一些主要的缺陷。Winpooch 的 Sourceforge

There is also an article on Codeproject on API hooking, providing some library to do hooking "in three layers". Dll Injection is somewhat hard, as you can image. CodeProject: EasyHook, reinvention of API Hooking

Codeproject上还有一篇关于API hooking的文章，提供了一些库来“三层”进行hook。正如您可以想象的那样，Dll 注入有点困难。CodeProject：EasyHook，API Hooking 的再造

As you are probably interested in Antivirus strategies, i also suggest having a look at ClamAV, or WinClam, which is opensource (under GPL) ClamAV for windows

由于您可能对防病毒策略感兴趣，因此我还建议您查看 ClamAV 或 WinClam，它是开源的（在 GPL 下）ClamAV for windows

But i do not have a clue how to do API hooking with C#, i have to admit. In C / C++ this is (quite) easy...

但是我不知道如何使用 C# 进行 API 挂钩，我不得不承认。在 C/C++ 中，这（相当）容易...

ADD ONYou may be interested in the sources of FileMon, a widely known FileSystem Monitor that was once by SysInternals and now by Microsoft: It uses Driver-Filter API by Microsoft, which is at least known as fragile.

ADD ON您可能对 FileMon 的来源感兴趣，这是一个广为人知的文件系统监视器，曾经是 SysInternals，现在是 Microsoft：它使用 Microsoft 的 Driver-Filter API，它至少被认为是脆弱的。

Link may be found here in Sysinternals forum

链接可以在 Sysinternals 论坛中找到

Through File System Filter Drivers. However, implementing such drivers is quite complicated and "fragile".

通过文件系统过滤驱动程序。但是，实现此类驱动程序非常复杂且“脆弱”。

File access is monitored using filesystem filter driver, which works in kernel mode. Filter drivers can be not just notified about filesystem operations, but alter the data passed via filters or deny filesystem requests.

文件访问使用文件系统过滤器驱动程序进行监控，该驱动程序在内核模式下工作。过滤器驱动程序不仅可以收到有关文件系统操作的通知，还可以更改通过过滤器传递的数据或拒绝文件系统请求。

You can create a minifilter yourself, yet maintenance and support of your kernel-mode code can be non-trivial, especially without kernel-mode development experience. One of problems is conflicts between various filters.

您可以自己创建一个微过滤器，但对内核模式代码的维护和支持可能非常重要，尤其是在没有内核模式开发经验的情况下。问题之一是各种过滤器之间的冲突。

Our company offers CallbackFilterproduct, which provides a ready-to-use driver and lets you write business logic, related to filtering, in user mode.

我们公司提供CallbackFilter产品，它提供了一个现成的驱动程序，让您可以在用户模式下编写与过滤相关的业务逻辑。

In general, these products intercept functions to get a HANDLE to a process like OpenProcess or NtOpenProcess. They also, hook CreateRemoteThread functions and memory allocation in a remote process: VirtualAlloc and VirtualProcect. Some AVs also hook SetWindowsHookEx function to detect global hooks to avoid key loggers.

通常，这些产品会拦截函数以获取到像 OpenProcess 或 NtOpenProcess 这样的进程的 HANDLE。它们还在远程进程中挂钩 CreateRemoteThread 函数和内存分配：VirtualAlloc 和 VirtualProcect。一些 AV 还挂钩 SetWindowsHookEx 函数来检测全局挂钩以避免键盘记录器。

Hooking these APIs they can control which modules (or dlls) can access remote processes and allow only those that the user know what they are doing.

挂钩这些 API，他们可以控制哪些模块（或 dll）可以访问远程进程，并且只允许那些用户知道他们在做什么的模块。

You can use HookShark to see what user-mode functions are intercepted by each AV product.

您可以使用 HookShark 来查看每个 AV 产品拦截了哪些用户模式功能。

To make your own user hooks you can use detours library but you have to develop an agent to run your in-process hooks and then communicate with an agent server. You can also use Deviare API Hookwhich is a framework that makes all the complex staff so you can code your hooks in your own process using any programming language.

要制作自己的用户挂钩，您可以使用 detours 库，但您必须开发一个代理来运行您的进程内挂钩，然后与代理服务器进行通信。您还可以使用Deviare API Hook，它是一个框架，可以让所有复杂的人员都可以使用任何编程语言在自己的流程中编写钩子。

You can read about the detours libraryfrom microsoft and try it for free - it allows you to write user mode hooks in c#. No need for you to learn about drivers :]

您可以从 microsoft阅读detours 库并免费试用 - 它允许您在 c# 中编写用户模式挂钩。您无需了解驱动程序:]

However - for kernel mode hooks - you will need to know c and play around with the DDK - atleast afaik :[

但是 - 对于内核模式挂钩 - 您需要了解 c 并使用 DDK - 至少 afaik :[

And most modern anti-virus software intercept quite a few calls - registry apis, thread and process apis etc - not just the file system api. Again - afaik.

并且大多数现代防病毒软件拦截了相当多的调用——注册表 api、线程和进程 api 等——而不仅仅是文件系统 api。再次 - afaik。

edit: There are also a few open source rootkits - google them and see how they perform their hooking, it will be educational I guess.

编辑：还有一些开源的rootkits - 谷歌他们，看看他们如何执行他们的挂钩，我猜这将是教育性的。