HELLO
Â
For the good protection, AN anti virus require at least one driver. This driver is used to able to run the code in kernel and can access the overall kernal APIs.
The antivirus company is use rookie that is used for as guard the doors.
The process of the making the antivirus. First thing you need to protect user form that is launching of malicious process. The antivirus is register with the PsSetCreateProcessNotifyRoutineEx callback.
You done this, You need to create the each process. When the main thread is going to start to run the antivirus callback is notified and receives all the require information .
Information can receives such as name of the process, File object and PID. When the process is waiting or may be pending, It can analyze the memory of the process for the anything malicious.
The driver will simply set the creation status to false and return.
The following code to understand the process for the antivirus:-
NTSTATUS PsSetCreateProcessNotifyRoutineEx(
 _In_  PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
 _In_  BOOLEAN Remove
);
VOID CreateProcessNotifyEx(
 _Inout_  PEPROCESS Process,
 _In_    HANDLE ProcessId,
 _In_opt_  PPS_CREATE_NOTIFY_INFO CreateInfo
);
typedef struct _PS_CREATE_NOTIFY_INFO {
 SIZE_T        Size;
 union {
  ULONG  Flags;
  struct {
   ULONG FileOpenNameAvailable  :1;
   ULONG Reserved  :31;
  };
 };
 HANDLE        ParentProcessId;
 CLIENT_ID      CreatingThreadId;
 struct _FILE_OBJECT  *FileObject;
 PCUNICODE_STRING   ImageFileName;
 PCUNICODE_STRING   CommandLine;
 NTSTATUS       CreationStatus;
} PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO;
