There are a few possibilities here, which i will mention. Firstly though, you must have a firm grasp of which APIs are being used and the methodology of data comparison in tools like RootkitRevealer. Since the particular tool doesn't come with source code, you should work towards finding the relevant API calls it makes. This requires some reverse engineering skills, but at the simplest case a debugger that lists API imports (like OllyDbg) will suffice. After you have that you should work towards understanding the proccess, the interweaving of different layers of access, which in my opinion is the harder of the tasks.

If you can achieve the above, you can look at the first option, for "low-level" disk access, the Win32API::File standard module. You most likelly won't find the level of complexity desired there, so your next bet might be Win32::API. I quote from the author's description page "Win32::API is a perl extension to import and call functions from any 32-bit DLL (Dynamic Link Library); its main use is to perform "quick and dirty" calls to non otherwise implemented Win32 APIs or third-party or even homegrown DLLs.".

If that doesn't do it, i suppose you could always resort to writing an XS extension, but then we are somewhat moving away from Perl code...

In reply to Re: raw file system and registry data by psychotic
in thread raw file system and registry data by ketema

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.