You need to know Kernel mode filters (DDK) in order to filter file contents from memory and disk on pre-opening of the file or loading into memory.
The latest DDK SDK has a sample on miniFilters which are what Virus checkers do. You also need a DB or virus data updated regularly to compare contents with. Also be aware all files opened or pretty much everything loaded into memory are parsed through the miniFilter so this will slow down the loading of application or files if you dont code correctly. If you havent performed Kernel mode applications before I recommend you get lots of experience prior to releasing anything into production as you will get a lot of BSOD's if you dont do it right.
DDK development is not like C++ development. Its like comparing C to C#. They are similar in structure but work totally differently.