From: Christos Zoulas Date: Sat, 15 Dec 2018 18:56:07 +0000 (+0000) Subject: Add VHDX file support (Joerg Jenderek) X-Git-Tag: FILE5_36~34 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=917c30ffc21b12aad054872644f9f15f2b424f98;p=file Add VHDX file support (Joerg Jenderek) --- diff --git a/magic/Magdir/virtual b/magic/Magdir/virtual index f2fc7ae8..81d60355 100644 --- a/magic/Magdir/virtual +++ b/magic/Magdir/virtual @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: virtual,v 1.8 2018/12/04 12:12:53 christos Exp $ +# $File: virtual,v 1.9 2018/12/15 18:56:07 christos Exp $ # From: James Nobis # Microsoft hard disk images for: # Virtual Server @@ -70,6 +70,128 @@ # Reserved 427 bytes with nils #>85 ubequad !0 \b, Reserved 0x%16.16llx +# From: Joerg Jenderek +# URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/ +# MS-VHDX/[MS-VHDX].pdf +# Note: extends the VHD format with new capabilities, such as a 16TB maximum size +# TODO: find and display values like virtual size, disk size, cluster_size, etc +# display id in GUID format +# +# VHDX_FILE_IDENTIFIER signature 0x656C696678646876 +0 string vhdxfile +# VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB +>0x10000 string head Microsoft Disk Image eXtended +#>0x20000 string head \b, 2nd header +#!:mime application/x-virtualbox-vhdx +!:ext vhdx +# Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512" +>>8 lestring16 x \b, by %.256s +# The Checksum field is a CRC-32C hash over the entire 4 KB structure +#>>0x10004 ulelong x \b, CRC 0x%x +# SequenceNumber +>>0x10008 ulequad x \b, sequence 0x%llx +# FileWriteGuid +#>>0x10010 ubequad x \b, file id 0x%llx +#>>>0x10018 ubequad x \b-%llx +# DataWriteGuid +#>>0x10020 ubequad x \b, data id 0x%llx +#>>>0x10028 ubequad x \b-%llx +# LogGuid. If this field is zero, then the log is empty or has no valid entries +>>0x10030 ubequad >0 \b, log id 0x%llx +>>>0x10038 ubequad x \b-%llx +# LogVersion. If not 0 there is a log to replay +>>0x10040 uleshort >0 \b, LogVersion 0x%x +# Version. This field must be set to 1 +>>0x10042 uleshort !1 \b, Version 0x%x +# LogLength must be multiples of 1 MB +>>0x10044 ulelong/1048576 >1 \b, LogLength %u MB +# LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB +>>0x10048 ulequad !0x100000 \b, LogOffset 0x%llx +# Log Entry Signature must be 0x65676F6C~loge +>>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature +>>(0x10048.q) ulelong =0x65676F6C \b; LOG +# Log Entry Checksum +#>>>(0x10048.q+4) ulelong x \b, Log CRC 0x%x +# Log Entry Length must be a multiple of 4 KB +>>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB +# Log Entry Tail must be a multiple of 4 KB +#>>>(0x10048.q+12) ulelong x \b, Tail 0x%x +# Log Entry SequenceNumber +#>>>(0x10048.q+16) ulequad x \b, # 0x%llx +# Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8 +#>>>(0x10048.q+24) ulelong x \b, DescriptorCount 0x%llx +# Log Entry Reserved must be set to 0 +>>>(0x10048.q+28) ulelong !0 \b, Reserved 0x%x +# Log Entry LogGuid +#>>>(0x10048.q+32) ubequad x \b, Log id 0x%llx +#>>>(0x10048.q+40) ubequad x \b-%llx +# Log Entry FlushedFileOffset should VHDX size when entry is written. +#>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu +# Log Entry LastFileOffset +#>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu +# filling +#>>>(0x10048.q+64) ulequad >0 \b, filling %llx +# Reserved[4016] +#>>0x10050 ulequad >0 \b, Reserved 0x%llx +# VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB +>0x30000 ulelong !0x69676572 \b, 1st region INVALID +>0x30000 ulelong =0x69676572 \b; region +# region Checksum. CRC-32C hash over the entire 64-KB table +#>>0x30004 ulelong x \b, CRC 0x%x +# The EntryCount specifies number of valid entries; Found 2; This must be =< 2047. +>>0x30008 ulelong x \b, %u entries +# reserved must be zero +#>>0x3000C ulelong !0 \b, RESERVED 0x%x +# Region Table Entry starts with identifier for the object. often BAT id +>>0x30010 use vhdx-id +# FileOffset +>>0x30020 ulequad x \b, at 0x%llx +# Length. Specifies the length of the object within the file +#>>0x30028 ulelong x \b, Length 0x%x +# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX +>>0x3002C ulelong x \b, Required %u +# 2nd region entry often metadata id +>>0x30030 use vhdx-id +# 2nd entry FileOffset +>>0x30040 ulequad x \b, at 0x%llx +# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX +>>0x3004C ulelong x \b, Required %u +# 2nd region +>>0x40000 ulelong !0x69676572 \b, 2nd region INVALID +# check in vhdx images for known id and show names instead hexadecimal +0 name vhdx-id +# http://www.windowstricks.in/online-windows-guid-converter +# 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID +# 6677C22D23F600429D64115E9BFD4A08 BAT ID +>0 ubequad =0x6677C22D23F60042 +>>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT +# no BAT id +>>8 default x +>>>0 use vhdx-id-hex +# 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID +# 06A27C8B90479A4BB8FE575F050F886E Metadata region ID +>0 ubequad =0x06A27C8B90479A4B +>>8 ubequad =0xB8FE575F050F886E \b, id Metadata +# no Metadata id +>>8 default x +>>>0 use vhdx-id-hex +# 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID +# 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID +# value "virtual size" can be verified by command `qemu-img info ` +>0 ubequad =0x2442A52F1BCD7648 +>>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize +# no Virtual Disk Size ID +>>8 default x +>>>0 use vhdx-id-hex +# other ids +>0 default x +>>0 use vhdx-id-hex +# in vhdx images show id as hexadecimal +0 name vhdx-id-hex +>0 ubequad x \b, ID 0x%16.16llx +>8 ubequad x \b-%16.16llx +# # libvirt # From: Philipp Hahn 0 string LibvirtQemudSave Libvirt QEMU Suspend Image