1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
#------------------------------------------------------------------------------
# $File: virtual,v 1.21 2024/09/04 19:09:00 christos Exp $
# From: James Nobis <quel@quelrod.net>
# Microsoft hard disk images for:
# Virtual Server
# Virtual PC
# VirtualBox
# URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk)
# Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/
# Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc
0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC
# alternative shorter names
#0 string conectix Microsoft Virtual Hard Disk image
#0 string conectix Microsoft Virtual HD image
!:mime application/x-virtualbox-vhd
!:ext vhd
# Features is a bit field used to indicate specific feature support
#>8 ubelong !0x00000002 \b, Features %#x
# Reserved. This bit must always be set to 1.
#>8 ubelong &0x00000002 \b, Reserved %#x
# File Format Version for the current specification 0x00010000
#>12 ubelong !0x00010000 \b, Version %#8.8x
# Data Offset only found 0x200
#>16 ubequad !0x200 \b, Data Offset %#llx
#>16 ubequad x \b, at %#llx
# Dynamic Disk Header cookie like cxsparse
#>(16.Q) string x "%-.8s"
# This field contains a Unicode string (UTF-16) of the parent hard disk filename
#>(16.Q+64) ubequad x \b, parent name %#llx
# Creator Application
# vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd
>28 string x \b, Creator %-4.4s
# Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004
# holds the major/minor version of the application that created the image
>32 ubeshort x %x
>34 ubeshort x \b.%x
#>32 ubelong x \b, Version %#8.8x
# Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac)
>36 ubelong x (
>>36 ubelong 0x5769326B \bW2k
>>36 ubelong 0x4D616320 \bMac
>>36 default x \b0x
>>>36 ubelong x \b%8.8x
# creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch
>24 bedate+946684800 x \b) %s
# Original Size
#>40 ubequad x \b, o.-Size %#llx
# Current Size is same as original size, but change when disk is expanded
#>48 ubequad x \b, Size %#llx
>48 ubequad x \b, %llu bytes
# Disk Geometry: cylinder, heads, and sectors/track for hard disk
#>56 ubeshort x \b, Cylinder %#x
>56 ubeshort x \b, CHS %u
# Heads
#>58 ubyte x \b, Heads %#x
>58 ubyte x \b/%u
# Sectors per track
#>59 ubyte x \b, Sectors %#x
>59 ubyte x \b/%u
# Disk Type: 3~Dynamic hard disk
>60 ubelong !0x3 \b, type %#x
# Checksum
#>64 ubelong x \b, cksum %#x
# universally unique identifier (UUID) to associate a parent with its differencing image
#>68 ubequad x \b, id %#16.16llx
#>76 ubequad x \b-%16.16llx
# Saved State: 1~Saved State
>84 ubyte !0 \b, State %#x
# Reserved 427 bytes with nils
#>85 ubequad !0 \b, Reserved %#16.16llx
# From: Joerg Jenderek
# URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx
# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/
# MS-VHDX/[MS-VHDX].pdf
# Note: extends the VHD format with new capabilities, such as a 16TB maximum size
# TODO: find and display values like virtual size, disk size, cluster_size, etc
# display id in GUID format
#
# VHDX_FILE_IDENTIFIER signature 0x656C696678646876
0 string vhdxfile
# VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB
>0x10000 string head Microsoft Disk Image eXtended
#>0x20000 string head \b, 2nd header
#!:mime application/x-virtualbox-vhdx
!:ext vhdx
# Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512"
>>8 lestring16 x \b, by %.256s
# The Checksum field is a CRC-32C hash over the entire 4 KB structure
#>>0x10004 ulelong x \b, CRC %#x
# SequenceNumber
>>0x10008 ulequad x \b, sequence %#llx
# FileWriteGuid
#>>0x10010 ubequad x \b, file id %#llx
#>>>0x10018 ubequad x \b-%llx
# DataWriteGuid
#>>0x10020 ubequad x \b, data id %#llx
#>>>0x10028 ubequad x \b-%llx
# LogGuid. If this field is zero, then the log is empty or has no valid entries
>>0x10030 ubequad >0 \b, log id %#llx
>>>0x10038 ubequad x \b-%llx
# LogVersion. If not 0 there is a log to replay
>>0x10040 uleshort >0 \b, LogVersion %#x
# Version. This field must be set to 1
>>0x10042 uleshort !1 \b, Version %#x
# LogLength must be multiples of 1 MB
>>0x10044 ulelong/1048576 >1 \b, LogLength %u MB
# LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB
>>0x10048 ulequad !0x100000 \b, LogOffset %#llx
# Log Entry Signature must be 0x65676F6C~loge
>>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature
>>(0x10048.q) ulelong =0x65676F6C \b; LOG
# Log Entry Checksum
#>>>(0x10048.q+4) ulelong x \b, Log CRC %#x
# Log Entry Length must be a multiple of 4 KB
>>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB
# Log Entry Tail must be a multiple of 4 KB
#>>>(0x10048.q+12) ulelong x \b, Tail %#x
# Log Entry SequenceNumber
#>>>(0x10048.q+16) ulequad x \b, # %#llx
# Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8
#>>>(0x10048.q+24) ulelong x \b, DescriptorCount %#llx
# Log Entry Reserved must be set to 0
>>>(0x10048.q+28) ulelong !0 \b, Reserved %#x
# Log Entry LogGuid
#>>>(0x10048.q+32) ubequad x \b, Log id %#llx
#>>>(0x10048.q+40) ubequad x \b-%llx
# Log Entry FlushedFileOffset should VHDX size when entry is written.
#>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu
# Log Entry LastFileOffset
#>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu
# filling
#>>>(0x10048.q+64) ulequad >0 \b, filling %llx
# Reserved[4016]
#>>0x10050 ulequad >0 \b, Reserved %#llx
# VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB
>0x30000 ulelong !0x69676572 Microsoft Disk Image Extended, 1st region INVALID
>0x30000 ulelong =0x69676572 Microsoft Disk Image Extended; region
# region Checksum. CRC-32C hash over the entire 64-KB table
#>>0x30004 ulelong x \b, CRC %#x
# The EntryCount specifies number of valid entries; Found 2; This must be =< 2047.
>>0x30008 ulelong x \b, %u entries
# reserved must be zero
#>>0x3000C ulelong !0 \b, RESERVED %#x
# Region Table Entry starts with identifier for the object. often BAT id
>>0x30010 use vhdx-id
# FileOffset
>>0x30020 ulequad x \b, at %#llx
# Length. Specifies the length of the object within the file
#>>0x30028 ulelong x \b, Length %#x
# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
>>0x3002C ulelong x \b, Required %u
# 2nd region entry often metadata id
>>0x30030 use vhdx-id
# 2nd entry FileOffset
>>0x30040 ulequad x \b, at %#llx
# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
>>0x3004C ulelong x \b, Required %u
# 2nd region
>>0x40000 ulelong !0x69676572 \b, 2nd region INVALID
# check in vhdx images for known id and show names instead hexadecimal
0 name vhdx-id
# https://www.windowstricks.in/online-windows-guid-converter
# 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID
# 6677C22D23F600429D64115E9BFD4A08 BAT ID
>0 ubequad =0x6677C22D23F60042
>>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT
# no BAT id
>>8 default x
>>>0 use vhdx-id-hex
# 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID
# 06A27C8B90479A4BB8FE575F050F886E Metadata region ID
>0 ubequad =0x06A27C8B90479A4B
>>8 ubequad =0xB8FE575F050F886E \b, id Metadata
# no Metadata id
>>8 default x
>>>0 use vhdx-id-hex
# 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID
# 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID
# value "virtual size" can be verified by command `qemu-img info `
>0 ubequad =0x2442A52F1BCD7648
>>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize
# no Virtual Disk Size ID
>>8 default x
>>>0 use vhdx-id-hex
# other ids
>0 default x
>>0 use vhdx-id-hex
# in vhdx images show id as hexadecimal
0 name vhdx-id-hex
>0 ubequad x \b, ID %#16.16llx
>8 ubequad x \b-%16.16llx
#
# libvirt
# From: Philipp Hahn <hahn@univention.de>
0 string LibvirtQemudSave Libvirt QEMU Suspend Image
>0x10 lelong x \b, version %u
>0x14 lelong x \b, XML length %u
>0x18 lelong 1 \b, running
>0x1c lelong 1 \b, compressed
0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image
# From: Alex Beregszaszi <alex@fsn.hu>
0 string/b COWD VMWare3
>4 byte 3 disk image
>>32 lelong x (%d/
>>36 lelong x \b%d/
>>40 lelong x \b%d)
>4 byte 2 undoable disk image
>>32 string >\0 (%s)
0 string/b VMDK VMware4 disk image
0 string/b KDMV VMware4 disk image
#--------------------------------------------------------------------
# Qemu Emulator Images
# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files
0 string/b QFI\xFB QEMU QCOW Image
!:mime application/x-qemu-disk
# Uncomment the following line to display Magic (only used for debugging
# this magic number)
#>0 string/b x , Magic: %s
# There are currently 2 Versions: "1" and "2".
# https://www.gnome.org/~markmc/qcow-image-format-version-1.html
>4 belong x (v%d)
# Using the existence of the Backing File Offset to determine whether
# to read Backing File Information
>>12 belong >0 \b, has backing file (
# Note that this isn't a null-terminated string; the length is actually
# (16.L). Assuming a null-terminated string happens to work usually, but it
# may spew junk until it reaches a \0 in some cases.
>>>(12.L) string >\0 \bpath %s
# Modification time of the Backing File
# Really useful if you want to know if your backing
# file is still usable together with this image
>>>>20 bedate >0 \b, mtime %s)
>>>>20 default x \b)
# Size is stored in bytes in a big-endian u64.
>>24 bequad x \b, %lld bytes
# 1 for AES encryption, 0 for none.
>>36 belong 1 \b, AES-encrypted
# https://www.gnome.org/~markmc/qcow-image-format.html
>4 belong 2 (v2)
# Using the existence of the Backing File Offset to determine whether
# to read Backing File Information
>>8 bequad >0 \b, has backing file
# Note that this isn't a null-terminated string; the length is actually
# (16.L). Assuming a null-terminated string happens to work usually, but it
# may spew junk until it reaches a \0 in some cases. Also, since there's no
# .Q modifier, we just use the bottom four bytes as an offset. Note that if
# the file is over 4G, and the backing file path is stored after the first 4G,
# the wrong filename will be printed. (This should be (8.Q), when that syntax
# is introduced.)
>>>(12.L) string >\0 (path %s)
>>24 bequad x \b, %lld bytes
>>32 belong 1 \b, AES-encrypted
>4 belong 3 (v3)
# Using the existence of the Backing File Offset to determine whether
# to read Backing File Information
>>8 bequad >0 \b, has backing file
# Note that this isn't a null-terminated string; the length is actually
# (16.L). Assuming a null-terminated string happens to work usually, but it
# may spew junk until it reaches a \0 in some cases. Also, since there's no
# .Q modifier, we just use the bottom four bytes as an offset. Note that if
# the file is over 4G, and the backing file path is stored after the first 4G,
# the wrong filename will be printed. (This should be (8.Q), when that syntax
# is introduced.)
>>>(12.L) string >\0 (path %s)
>>24 bequad x \b, %lld bytes
>>32 belong 1 \b, AES-encrypted
>4 default x (unknown version)
0 string/b QEVM QEMU suspend to disk image
# QEMU QED Image
# https://wiki.qemu.org/Features/QED/Specification
0 string/b QED\0 QEMU QED Image
# VDI Image
# Sun xVM VirtualBox Disk Image
# From: Richard W.M. Jones <rich@annexia.org>
# VirtualBox Disk Image
0x40 ulelong 0xbeda107f VirtualBox Disk Image
>0x44 uleshort >0 \b, major %u
>0x46 uleshort >0 \b, minor %u
>0 string >\0 (%s)
>368 lequad x \b, %lld bytes
# From: Joerg Jenderek
# URL: https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifynvram
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nvram-virtualbox.trid.xml
# Note: called "VirtualBox saved (U)EFI BIOS settings" by TrID and
# verfied partly by VirtualBox version 7.0.12 `VBoxManage modifynvram <uuid|vmname> listvars`
# first 64 bytes seems to be constant
0 long 0
>0x28 string _FVH
>>0x64 beshort 0xAA55
>>>0 use virtualbox-nvram
# display information of virtualbox *.nvram
0 name virtualbox-nvram
>0x64 beshort x VirtualBox NVRAM file
#!:mime application/octet-stream
!:mime application/x-virtualbox-nvram
!:ext nvram
0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image,
>32 string x type %s,
>48 string x subtype %s
0 lelong 0x02468ace Bochs Sparse disk image
# QEMU replay image
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://www.qemu.org/docs/master/system/replay.html
# Reference: https://gitlab.com/qemu/qemu/-/blob/master/replay/replay.c
0 ubelong&0xFFFFFFF0 0x00e02000
>3 byte >5
>>4 quad 0
>>>12 ulelong <40 QEMU replay
>>>>3 byte x \b, version %d
>>>>3 byte 6 (QEMU 2.10-2.11)
>>>>3 byte 7 (QEMU 2.12-4.1)
>>>>3 byte 8 (QEMU 4.2)
>>>>3 byte 9 (QEMU 5.0)
>>>>3 byte 10 (QEMU 5.1-7.0)
>>>>3 byte 12 (QEMU 7.1+)
|
