virtual 12 KB


  1. #------------------------------------------------------------------------------
  2. # $File: virtual,v 1.12 2020/02/15 01:20:15 christos Exp $
  3. # From: James Nobis <quel@quelrod.net>
  4. # Microsoft hard disk images for:
  5. # Virtual Server
  6. # Virtual PC
  7. # VirtualBox
  8. # URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk)
  9. # Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/
  10. # Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc
  11. 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC
  12. # alternative shorter names
  13. #0 string conectix Microsoft Virtual Hard Disk image
  14. #0 string conectix Microsoft Virtual HD image
  15. !:mime application/x-virtualbox-vhd
  16. !:ext vhd
  17. # Features is a bit field used to indicate specific feature support
  18. #>8 ubelong !0x00000002 \b, Features 0x%x
  19. # Reserved. This bit must always be set to 1.
  20. #>8 ubelong &0x00000002 \b, Reserved 0x%x
  21. # File Format Version for the current specification 0x00010000
  22. #>12 ubelong !0x00010000 \b, Version 0x%8.8x
  23. # Data Offset only found 0x200
  24. #>16 ubequad !0x200 \b, Data Offset 0x%llx
  25. #>16 ubequad x \b, at 0x%llx
  26. # Dynamic Disk Header cookie like cxsparse
  27. #>(16.Q) string x "%-.8s"
  28. # This field contains a Unicode string (UTF-16) of the parent hard disk filename
  29. #>(16.Q+64) ubequad x \b, parent name 0x%llx
  30. # Creator Application
  31. # vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd
  32. >28 string x \b, Creator %-4.4s
  33. # Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004
  34. # holds the major/minor version of the application that created the image
  35. >32 ubeshort x %x
  36. >34 ubeshort x \b.%x
  37. #>32 ubelong x \b, Version 0x%8.8x
  38. # Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac)
  39. >36 ubelong x (
  40. >>36 ubelong 0x5769326B \bW2k
  41. >>36 ubelong 0x4D616320 \bMac
  42. >>36 default x \b0x
  43. >>>36 ubelong x \b%8.8x
  44. # creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch
  45. >24 bedate+946684800 x \b) %s
  46. # Original Size
  47. #>40 ubequad x \b, o.-Size 0x%llx
  48. # Current Size is same as original size, but change when disk is expanded
  49. #>48 ubequad x \b, Size 0x%llx
  50. >48 ubequad x \b, %llu bytes
  51. # Disk Geometry: cylinder, heads, and sectors/track for hard disk
  52. #>56 ubeshort x \b, Cylinder 0x%x
  53. >56 ubeshort x \b, CHS %u
  54. # Heads
  55. #>58 ubyte x \b, Heads 0x%x
  56. >58 ubyte x \b/%u
  57. # Sectors per track
  58. #>59 ubyte x \b, Sectors 0x%x
  59. >59 ubyte x \b/%u
  60. # Disk Type: 3~Dynamic hard disk
  61. >60 ubelong !0x3 \b, type 0x%x
  62. # Checksum
  63. #>64 ubelong x \b, cksum 0x%x
  64. # universally unique identifier (UUID) to associate a parent with its differencing image
  65. #>68 ubequad x \b, id 0x%16.16llx
  66. #>76 ubequad x \b-%16.16llx
  67. # Saved State: 1~Saved State
  68. >84 ubyte !0 \b, State 0x%x
  69. # Reserved 427 bytes with nils
  70. #>85 ubequad !0 \b, Reserved 0x%16.16llx
  71. # From: Joerg Jenderek
  72. # URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx
  73. # Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/
  74. # MS-VHDX/[MS-VHDX].pdf
  75. # Note: extends the VHD format with new capabilities, such as a 16TB maximum size
  76. # TODO: find and display values like virtual size, disk size, cluster_size, etc
  77. # display id in GUID format
  78. #
  79. # VHDX_FILE_IDENTIFIER signature 0x656C696678646876
  80. 0 string vhdxfile
  81. # VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB
  82. >0x10000 string head Microsoft Disk Image eXtended
  83. #>0x20000 string head \b, 2nd header
  84. #!:mime application/x-virtualbox-vhdx
  85. !:ext vhdx
  86. # Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512"
  87. >>8 lestring16 x \b, by %.256s
  88. # The Checksum field is a CRC-32C hash over the entire 4 KB structure
  89. #>>0x10004 ulelong x \b, CRC 0x%x
  90. # SequenceNumber
  91. >>0x10008 ulequad x \b, sequence 0x%llx
  92. # FileWriteGuid
  93. #>>0x10010 ubequad x \b, file id 0x%llx
  94. #>>>0x10018 ubequad x \b-%llx
  95. # DataWriteGuid
  96. #>>0x10020 ubequad x \b, data id 0x%llx
  97. #>>>0x10028 ubequad x \b-%llx
  98. # LogGuid. If this field is zero, then the log is empty or has no valid entries
  99. >>0x10030 ubequad >0 \b, log id 0x%llx
  100. >>>0x10038 ubequad x \b-%llx
  101. # LogVersion. If not 0 there is a log to replay
  102. >>0x10040 uleshort >0 \b, LogVersion 0x%x
  103. # Version. This field must be set to 1
  104. >>0x10042 uleshort !1 \b, Version 0x%x
  105. # LogLength must be multiples of 1 MB
  106. >>0x10044 ulelong/1048576 >1 \b, LogLength %u MB
  107. # LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB
  108. >>0x10048 ulequad !0x100000 \b, LogOffset 0x%llx
  109. # Log Entry Signature must be 0x65676F6C~loge
  110. >>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature
  111. >>(0x10048.q) ulelong =0x65676F6C \b; LOG
  112. # Log Entry Checksum
  113. #>>>(0x10048.q+4) ulelong x \b, Log CRC 0x%x
  114. # Log Entry Length must be a multiple of 4 KB
  115. >>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB
  116. # Log Entry Tail must be a multiple of 4 KB
  117. #>>>(0x10048.q+12) ulelong x \b, Tail 0x%x
  118. # Log Entry SequenceNumber
  119. #>>>(0x10048.q+16) ulequad x \b, # 0x%llx
  120. # Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8
  121. #>>>(0x10048.q+24) ulelong x \b, DescriptorCount 0x%llx
  122. # Log Entry Reserved must be set to 0
  123. >>>(0x10048.q+28) ulelong !0 \b, Reserved 0x%x
  124. # Log Entry LogGuid
  125. #>>>(0x10048.q+32) ubequad x \b, Log id 0x%llx
  126. #>>>(0x10048.q+40) ubequad x \b-%llx
  127. # Log Entry FlushedFileOffset should VHDX size when entry is written.
  128. #>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu
  129. # Log Entry LastFileOffset
  130. #>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu
  131. # filling
  132. #>>>(0x10048.q+64) ulequad >0 \b, filling %llx
  133. # Reserved[4016]
  134. #>>0x10050 ulequad >0 \b, Reserved 0x%llx
  135. # VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB
  136. >0x30000 ulelong !0x69676572 \b, 1st region INVALID
  137. >0x30000 ulelong =0x69676572 \b; region
  138. # region Checksum. CRC-32C hash over the entire 64-KB table
  139. #>>0x30004 ulelong x \b, CRC 0x%x
  140. # The EntryCount specifies number of valid entries; Found 2; This must be =< 2047.
  141. >>0x30008 ulelong x \b, %u entries
  142. # reserved must be zero
  143. #>>0x3000C ulelong !0 \b, RESERVED 0x%x
  144. # Region Table Entry starts with identifier for the object. often BAT id
  145. >>0x30010 use vhdx-id
  146. # FileOffset
  147. >>0x30020 ulequad x \b, at 0x%llx
  148. # Length. Specifies the length of the object within the file
  149. #>>0x30028 ulelong x \b, Length 0x%x
  150. # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
  151. >>0x3002C ulelong x \b, Required %u
  152. # 2nd region entry often metadata id
  153. >>0x30030 use vhdx-id
  154. # 2nd entry FileOffset
  155. >>0x30040 ulequad x \b, at 0x%llx
  156. # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
  157. >>0x3004C ulelong x \b, Required %u
  158. # 2nd region
  159. >>0x40000 ulelong !0x69676572 \b, 2nd region INVALID
  160. # check in vhdx images for known id and show names instead hexadecimal
  161. 0 name vhdx-id
  162. # https://www.windowstricks.in/online-windows-guid-converter
  163. # 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID
  164. # 6677C22D23F600429D64115E9BFD4A08 BAT ID
  165. >0 ubequad =0x6677C22D23F60042
  166. >>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT
  167. # no BAT id
  168. >>8 default x
  169. >>>0 use vhdx-id-hex
  170. # 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID
  171. # 06A27C8B90479A4BB8FE575F050F886E Metadata region ID
  172. >0 ubequad =0x06A27C8B90479A4B
  173. >>8 ubequad =0xB8FE575F050F886E \b, id Metadata
  174. # no Metadata id
  175. >>8 default x
  176. >>>0 use vhdx-id-hex
  177. # 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID
  178. # 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID
  179. # value "virtual size" can be verified by command `qemu-img info `
  180. >0 ubequad =0x2442A52F1BCD7648
  181. >>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize
  182. # no Virtual Disk Size ID
  183. >>8 default x
  184. >>>0 use vhdx-id-hex
  185. # other ids
  186. >0 default x
  187. >>0 use vhdx-id-hex
  188. # in vhdx images show id as hexadecimal
  189. 0 name vhdx-id-hex
  190. >0 ubequad x \b, ID 0x%16.16llx
  191. >8 ubequad x \b-%16.16llx
  192. #
  193. # libvirt
  194. # From: Philipp Hahn <hahn@univention.de>
  195. 0 string LibvirtQemudSave Libvirt QEMU Suspend Image
  196. >0x10 lelong x \b, version %u
  197. >0x14 lelong x \b, XML length %u
  198. >0x18 lelong 1 \b, running
  199. >0x1c lelong 1 \b, compressed
  200. 0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image
  201. # From: Alex Beregszaszi <alex@fsn.hu>
  202. 0 string/b COWD VMWare3
  203. >4 byte 3 disk image
  204. >>32 lelong x (%d/
  205. >>36 lelong x \b%d/
  206. >>40 lelong x \b%d)
  207. >4 byte 2 undoable disk image
  208. >>32 string >\0 (%s)
  209. 0 string/b VMDK VMware4 disk image
  210. 0 string/b KDMV VMware4 disk image
  211. #--------------------------------------------------------------------
  212. # Qemu Emulator Images
  213. # Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
  214. # Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
  215. # Made by reading sources, reading documentation, and doing trial and error
  216. # on existing QCOW files
  217. 0 string/b QFI\xFB
  218. # Uncomment the following line to display Magic (only used for debugging
  219. # this magic number)
  220. #>0 string/b x , Magic: %s
  221. # There are currently 2 Versions: "1" and "2".
  222. # https://www.gnome.org/~markmc/qcow-image-format-version-1.html
  223. >4 belong !1 QEMU QCOW2 Image
  224. >4 belong 1 QEMU QCOW Image (v1)
  225. # Using the existence of the Backing File Offset to determine whether
  226. # to read Backing File Information
  227. >>12 belong >0 \b, has backing file (
  228. # Note that this isn't a null-terminated string; the length is actually
  229. # (16.L). Assuming a null-terminated string happens to work usually, but it
  230. # may spew junk until it reaches a \0 in some cases.
  231. >>>(12.L) string >\0 \bpath %s
  232. # Modification time of the Backing File
  233. # Really useful if you want to know if your backing
  234. # file is still usable together with this image
  235. >>>>20 bedate >0 \b, mtime %s)
  236. >>>>20 default x \b)
  237. # Size is stored in bytes in a big-endian u64.
  238. >>24 bequad x \b, %lld bytes
  239. # 1 for AES encryption, 0 for none.
  240. >>36 belong 1 \b, AES-encrypted
  241. # https://www.gnome.org/~markmc/qcow-image-format.html
  242. >4 belong 2 (v2)
  243. # Using the existence of the Backing File Offset to determine whether
  244. # to read Backing File Information
  245. >>8 bequad >0 \b, has backing file
  246. # Note that this isn't a null-terminated string; the length is actually
  247. # (16.L). Assuming a null-terminated string happens to work usually, but it
  248. # may spew junk until it reaches a \0 in some cases. Also, since there's no
  249. # .Q modifier, we just use the bottom four bytes as an offset. Note that if
  250. # the file is over 4G, and the backing file path is stored after the first 4G,
  251. # the wrong filename will be printed. (This should be (8.Q), when that syntax
  252. # is introduced.)
  253. >>>(12.L) string >\0 (path %s)
  254. >>24 bequad x \b, %lld bytes
  255. >>32 belong 1 \b, AES-encrypted
  256. >4 belong 3 (v3)
  257. # Using the existence of the Backing File Offset to determine whether
  258. # to read Backing File Information
  259. >>8 bequad >0 \b, has backing file
  260. # Note that this isn't a null-terminated string; the length is actually
  261. # (16.L). Assuming a null-terminated string happens to work usually, but it
  262. # may spew junk until it reaches a \0 in some cases. Also, since there's no
  263. # .Q modifier, we just use the bottom four bytes as an offset. Note that if
  264. # the file is over 4G, and the backing file path is stored after the first 4G,
  265. # the wrong filename will be printed. (This should be (8.Q), when that syntax
  266. # is introduced.)
  267. >>>(12.L) string >\0 (path %s)
  268. >>24 bequad x \b, %lld bytes
  269. >>32 belong 1 \b, AES-encrypted
  270. >4 default x (unknown version)
  271. 0 string/b QEVM QEMU suspend to disk image
  272. # QEMU QED Image
  273. # https://wiki.qemu.org/Features/QED/Specification
  274. 0 string/b QED\0 QEMU QED Image
  275. # VDI Image
  276. # Sun xVM VirtualBox Disk Image
  277. # From: Richard W.M. Jones <rich@annexia.org>
  278. # VirtualBox Disk Image
  279. 0x40 ulelong 0xbeda107f VirtualBox Disk Image
  280. >0x44 uleshort >0 \b, major %u
  281. >0x46 uleshort >0 \b, minor %u
  282. >0 string >\0 (%s)
  283. >368 lequad x \b, %lld bytes
  284. 0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image,
  285. >32 string x type %s,
  286. >48 string x subtype %s
  287. 0 lelong 0x02468ace Bochs Sparse disk image