I was looking up things on different methods for coding to find rootkits, and

Question

0

Asked: May 28, 20262026-05-28T07:49:57+00:00 2026-05-28T07:49:57+00:00

I was looking up things on different methods for coding to find rootkits, and

0

I was looking up things on different methods for coding to find rootkits, and I came upon a question here, actually, that mentioned one way to detect them was to scan for files using the windows API, and then using the direct file system, and see if there was any discrepancies (for some kinds of rootkits).

This made me question(s): How do you write code to directly access the file system? What kind of function calls would be needed for this? Is this something that can be done in C++ or would i need to go to assembly?

Any answers or guidance would be lovely!

Thank you,
-Stefan Z

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T07:49:58+00:00

It’s pretty easy to read things directly…

(Edit: you can even do this without using Windows-specific header files — see below.)

#include <stdlib.h>
#include <stdio.h>

int main(void)
{
    FILE *volume = fopen("\\\\.\\C:", "r");
    if (volume)
    {
        long long offset = 0;  // Sector-aligned offset
        setbuf(volume, NULL);  // Disable buffering

        if (_fseeki64(volume, offset, SEEK_SET) == 0)
        {
            char buf[1024];  // Multiple of sector size
            size_t cb = fread(buf, sizeof(*buf), _countof(buf), volume);

            // Process the data
        }
        fclose(volume);
    }
    return 0;
}

The hard part is figuring out what to read, and how to interpret it.

A lot about NTFS is undocumented, but some parts of it are documented. Have fun researching.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I was looking up things on different methods for coding to find rootkits, and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply