https://github.com/forentfraps/mft_reader

Direct NTFS file reader via $MFT (Master File Table) for Windows. Bypasses file locks and permissions with admin privileges. Zig library with C bindings.
https://github.com/forentfraps/mft_reader

admin-tools c-bindings file-recovery filesystem forensics low-level mft ntfs red-team system-programming windows windows-internals zig

Last synced: 4 months ago
JSON representation

Direct NTFS file reader via $MFT (Master File Table) for Windows. Bypasses file locks and permissions with admin privileges. Zig library with C bindings.

• Host: GitHub
• URL: https://github.com/forentfraps/mft_reader
• Owner: forentfraps
• License: mit
• Created: 2025-09-06T01:41:05.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2025-09-23T12:17:52.000Z (5 months ago)
• Last Synced: 2025-09-23T14:28:01.384Z (5 months ago)
• Topics: admin-tools, c-bindings, file-recovery, filesystem, forensics, low-level, mft, ntfs, red-team, system-programming, windows, windows-internals, zig
• Language: Zig
• Homepage:
• Size: 689 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# NTFS MFT Reader

A Windows-only Zig library that reads files directly through NTFS $MFT (Master File Table), bypassing standard file APIs. Requires administrator privileges.

## Features

- Direct MFT access for file reading

- Supports both resident and non-resident data

- Handles NTFS runlists and fixups

- C library export with automatic binding generation

## Installation

```bash

zig fetch --save git+https://github.com/forentfraps/mft_reader

```

Add to your `build.zig`:

```zig

const mft_reader = b.dependency("mft_reader", .{

    .target = target,

    .optimize = optimize,

});

exe.root_module.addImport("mft", mft_reader.module("mft"));

```

## Usage

### Zig API

```zig

const mft = @import("mft");

pub fn main() !void {

    var gpa = std.heap.GeneralPurposeAllocator(.{}){};

    const allocator = gpa.allocator();

    

    const data = try mft.MftReadFile(allocator, "C:\\path\\to\\file.txt");

    defer allocator.free(data);

    

    // Use data...

}

```

### C API

When compiled with `link_libc`, exports a C-compatible function:

```c

// Returns malloc'd buffer, caller must free()

// Size is written to the size parameter

// Returns NULL on error

char* MftReadFile(const char* path, size_t* size);

```

Example:

```c

size_t size;

char* data = MftReadFile("C:\\file.txt", &size);

if (data) {

    // Use data...

    free(data);  // Important: free the result

}

```

## Command Line Tool

```bash

zig build run -- C:\path\to\file

```

## Requirements

- Windows only

- Administrator privileges (for volume access)

- NTFS filesystem

## License

MIT (See LICENCE)