Hello! Does someone know of a sample on how to list all the files in a disk by reading the FAT32 or NTFS directly? I mean, not using FindFirst/FindNext. The most low level the method is, the best it is, since rootkits intercept the internal functions of the system to cover their traces. I want to create a rootkit scanner in Delphi with this, it would be freeware. :D Thanks in advance!

i don't think that would be possible with ntfs but you are able to do it with fat32. i had a specification some time ago but i sadly lost it.. :cry:

Thanks anyway :D Well, I have just used a tool that scans for rootkits, and finds out every hiden file and stream in the NTFS partition.

I have another question. If I go to www.msdn.com, and find a function that I want to import to Delphi, how do I know which system library it should be imported from? For example I declare this:

...
function GetLongPathName(lpszShortPath: PChar; lpszLongPath: PChar;
cchBuffer: DWORD): DWORD; stdcall;

implemetation

function GetLongPathName; external kernel32 Name 'GetLongPathNameA';
...

How do I know this function is at kernel32 library? :?

search for the function and find something describing that function

in the bottom of that page you shoud see a table where it says:
DLL: Requires Kernel32.dll.

Regarding the file systems:
Since FAT is indeed the easier one of this couple, finding full specs on the net is not much of a challenge (check out here (http://home.freeuk.net/foxy2k/disk/disk1.htm) for example). NTFS on the other hand is more wicked, but still doable. I'd recommend to start reading up about it from http://www.ntfs.com and then head to http://www.linux-ntfs.org/ for more detailed documentation.
Oh, and a small tip that might hopefully help you out - for direct disk access when playing around with the specs, i really recommend WinHEX (http://www.x-ways.net/winhex/index-m.html). A superb tool for data recovery or any random browsings around the disk (did some file recovery by hand with it once, when my freaky pc thrashed all the partitions on a disk so that no file recovery software did its job decently :shock:. It was a success ;) )

Aye, and something about the api declarations - another way would be to search the header files from windows sdk. Dunno if that would be faster, but it's an option ;)

Thanks for all your info! Finally I found out how to do what I wanted. It's incredible how easy it is to store tons of perfectly hidden data in Windows, and so easy. I even found how to write hidden information in the NTFS partition using just notepad!!... and I don't mean by setting the visible attribute of the files. Data can be stored in hidden streams that could be examined only by a few special functions, which only work on administrator accounts, and anyway those could be overrided by any virus using rootkit techniques. Windows is really unsecure. If a well-done rootkit virus takes the system the antivirus can't be trust. The disk must be scanned from outside, in a trusted system. In the future I will try to remove my hard disks and scan them in an isolated computer. :!: