2 #------------------------------------------------------------------------------
3 # $File: virtual,v 1.12 2020/02/15 01:20:15 christos Exp $
4 # From: James Nobis <quel@quelrod.net>
5 # Microsoft hard disk images for:
9 # URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk)
10 # Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/
11 # Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc
12 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC
13 # alternative shorter names
14 #0 string conectix Microsoft Virtual Hard Disk image
15 #0 string conectix Microsoft Virtual HD image
16 !:mime application/x-virtualbox-vhd
18 # Features is a bit field used to indicate specific feature support
19 #>8 ubelong !0x00000002 \b, Features 0x%x
20 # Reserved. This bit must always be set to 1.
21 #>8 ubelong &0x00000002 \b, Reserved 0x%x
22 # File Format Version for the current specification 0x00010000
23 #>12 ubelong !0x00010000 \b, Version 0x%8.8x
24 # Data Offset only found 0x200
25 #>16 ubequad !0x200 \b, Data Offset 0x%llx
26 #>16 ubequad x \b, at 0x%llx
27 # Dynamic Disk Header cookie like cxsparse
28 #>(16.Q) string x "%-.8s"
29 # This field contains a Unicode string (UTF-16) of the parent hard disk filename
30 #>(16.Q+64) ubequad x \b, parent name 0x%llx
32 # vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd
33 >28 string x \b, Creator %-4.4s
34 # Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004
35 # holds the major/minor version of the application that created the image
38 #>32 ubelong x \b, Version 0x%8.8x
39 # Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac)
41 >>36 ubelong 0x5769326B \bW2k
42 >>36 ubelong 0x4D616320 \bMac
44 >>>36 ubelong x \b%8.8x
45 # creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch
46 >24 bedate+946684800 x \b) %s
48 #>40 ubequad x \b, o.-Size 0x%llx
49 # Current Size is same as original size, but change when disk is expanded
50 #>48 ubequad x \b, Size 0x%llx
51 >48 ubequad x \b, %llu bytes
52 # Disk Geometry: cylinder, heads, and sectors/track for hard disk
53 #>56 ubeshort x \b, Cylinder 0x%x
54 >56 ubeshort x \b, CHS %u
56 #>58 ubyte x \b, Heads 0x%x
59 #>59 ubyte x \b, Sectors 0x%x
61 # Disk Type: 3~Dynamic hard disk
62 >60 ubelong !0x3 \b, type 0x%x
64 #>64 ubelong x \b, cksum 0x%x
65 # universally unique identifier (UUID) to associate a parent with its differencing image
66 #>68 ubequad x \b, id 0x%16.16llx
67 #>76 ubequad x \b-%16.16llx
68 # Saved State: 1~Saved State
69 >84 ubyte !0 \b, State 0x%x
70 # Reserved 427 bytes with nils
71 #>85 ubequad !0 \b, Reserved 0x%16.16llx
73 # From: Joerg Jenderek
74 # URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx
75 # Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/
76 # MS-VHDX/[MS-VHDX].pdf
77 # Note: extends the VHD format with new capabilities, such as a 16TB maximum size
78 # TODO: find and display values like virtual size, disk size, cluster_size, etc
79 # display id in GUID format
81 # VHDX_FILE_IDENTIFIER signature 0x656C696678646876
83 # VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB
84 >0x10000 string head Microsoft Disk Image eXtended
85 #>0x20000 string head \b, 2nd header
86 #!:mime application/x-virtualbox-vhdx
88 # Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512"
89 >>8 lestring16 x \b, by %.256s
90 # The Checksum field is a CRC-32C hash over the entire 4 KB structure
91 #>>0x10004 ulelong x \b, CRC 0x%x
93 >>0x10008 ulequad x \b, sequence 0x%llx
95 #>>0x10010 ubequad x \b, file id 0x%llx
96 #>>>0x10018 ubequad x \b-%llx
98 #>>0x10020 ubequad x \b, data id 0x%llx
99 #>>>0x10028 ubequad x \b-%llx
100 # LogGuid. If this field is zero, then the log is empty or has no valid entries
101 >>0x10030 ubequad >0 \b, log id 0x%llx
102 >>>0x10038 ubequad x \b-%llx
103 # LogVersion. If not 0 there is a log to replay
104 >>0x10040 uleshort >0 \b, LogVersion 0x%x
105 # Version. This field must be set to 1
106 >>0x10042 uleshort !1 \b, Version 0x%x
107 # LogLength must be multiples of 1 MB
108 >>0x10044 ulelong/1048576 >1 \b, LogLength %u MB
109 # LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB
110 >>0x10048 ulequad !0x100000 \b, LogOffset 0x%llx
111 # Log Entry Signature must be 0x65676F6C~loge
112 >>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature
113 >>(0x10048.q) ulelong =0x65676F6C \b; LOG
115 #>>>(0x10048.q+4) ulelong x \b, Log CRC 0x%x
116 # Log Entry Length must be a multiple of 4 KB
117 >>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB
118 # Log Entry Tail must be a multiple of 4 KB
119 #>>>(0x10048.q+12) ulelong x \b, Tail 0x%x
120 # Log Entry SequenceNumber
121 #>>>(0x10048.q+16) ulequad x \b, # 0x%llx
122 # Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8
123 #>>>(0x10048.q+24) ulelong x \b, DescriptorCount 0x%llx
124 # Log Entry Reserved must be set to 0
125 >>>(0x10048.q+28) ulelong !0 \b, Reserved 0x%x
127 #>>>(0x10048.q+32) ubequad x \b, Log id 0x%llx
128 #>>>(0x10048.q+40) ubequad x \b-%llx
129 # Log Entry FlushedFileOffset should VHDX size when entry is written.
130 #>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu
131 # Log Entry LastFileOffset
132 #>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu
134 #>>>(0x10048.q+64) ulequad >0 \b, filling %llx
136 #>>0x10050 ulequad >0 \b, Reserved 0x%llx
137 # VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB
138 >0x30000 ulelong !0x69676572 \b, 1st region INVALID
139 >0x30000 ulelong =0x69676572 \b; region
140 # region Checksum. CRC-32C hash over the entire 64-KB table
141 #>>0x30004 ulelong x \b, CRC 0x%x
142 # The EntryCount specifies number of valid entries; Found 2; This must be =< 2047.
143 >>0x30008 ulelong x \b, %u entries
144 # reserved must be zero
145 #>>0x3000C ulelong !0 \b, RESERVED 0x%x
146 # Region Table Entry starts with identifier for the object. often BAT id
147 >>0x30010 use vhdx-id
149 >>0x30020 ulequad x \b, at 0x%llx
150 # Length. Specifies the length of the object within the file
151 #>>0x30028 ulelong x \b, Length 0x%x
152 # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
153 >>0x3002C ulelong x \b, Required %u
154 # 2nd region entry often metadata id
155 >>0x30030 use vhdx-id
156 # 2nd entry FileOffset
157 >>0x30040 ulequad x \b, at 0x%llx
158 # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
159 >>0x3004C ulelong x \b, Required %u
161 >>0x40000 ulelong !0x69676572 \b, 2nd region INVALID
162 # check in vhdx images for known id and show names instead hexadecimal
164 # https://www.windowstricks.in/online-windows-guid-converter
165 # 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID
166 # 6677C22D23F600429D64115E9BFD4A08 BAT ID
167 >0 ubequad =0x6677C22D23F60042
168 >>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT
172 # 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID
173 # 06A27C8B90479A4BB8FE575F050F886E Metadata region ID
174 >0 ubequad =0x06A27C8B90479A4B
175 >>8 ubequad =0xB8FE575F050F886E \b, id Metadata
179 # 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID
180 # 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID
181 # value "virtual size" can be verified by command `qemu-img info `
182 >0 ubequad =0x2442A52F1BCD7648
183 >>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize
184 # no Virtual Disk Size ID
190 # in vhdx images show id as hexadecimal
192 >0 ubequad x \b, ID 0x%16.16llx
193 >8 ubequad x \b-%16.16llx
196 # From: Philipp Hahn <hahn@univention.de>
197 0 string LibvirtQemudSave Libvirt QEMU Suspend Image
198 >0x10 lelong x \b, version %u
199 >0x14 lelong x \b, XML length %u
200 >0x18 lelong 1 \b, running
201 >0x1c lelong 1 \b, compressed
203 0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image
204 # From: Alex Beregszaszi <alex@fsn.hu>
205 0 string/b COWD VMWare3
210 >4 byte 2 undoable disk image
213 0 string/b VMDK VMware4 disk image
214 0 string/b KDMV VMware4 disk image
216 #--------------------------------------------------------------------
217 # Qemu Emulator Images
218 # Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
219 # Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
220 # Made by reading sources, reading documentation, and doing trial and error
221 # on existing QCOW files
224 # Uncomment the following line to display Magic (only used for debugging
226 #>0 string/b x , Magic: %s
228 # There are currently 2 Versions: "1" and "2".
229 # https://www.gnome.org/~markmc/qcow-image-format-version-1.html
230 >4 belong !1 QEMU QCOW2 Image
231 >4 belong 1 QEMU QCOW Image (v1)
233 # Using the existence of the Backing File Offset to determine whether
234 # to read Backing File Information
235 >>12 belong >0 \b, has backing file (
236 # Note that this isn't a null-terminated string; the length is actually
237 # (16.L). Assuming a null-terminated string happens to work usually, but it
238 # may spew junk until it reaches a \0 in some cases.
239 >>>(12.L) string >\0 \bpath %s
241 # Modification time of the Backing File
242 # Really useful if you want to know if your backing
243 # file is still usable together with this image
244 >>>>20 bedate >0 \b, mtime %s)
247 # Size is stored in bytes in a big-endian u64.
248 >>24 bequad x \b, %lld bytes
250 # 1 for AES encryption, 0 for none.
251 >>36 belong 1 \b, AES-encrypted
253 # https://www.gnome.org/~markmc/qcow-image-format.html
255 # Using the existence of the Backing File Offset to determine whether
256 # to read Backing File Information
257 >>8 bequad >0 \b, has backing file
258 # Note that this isn't a null-terminated string; the length is actually
259 # (16.L). Assuming a null-terminated string happens to work usually, but it
260 # may spew junk until it reaches a \0 in some cases. Also, since there's no
261 # .Q modifier, we just use the bottom four bytes as an offset. Note that if
262 # the file is over 4G, and the backing file path is stored after the first 4G,
263 # the wrong filename will be printed. (This should be (8.Q), when that syntax
265 >>>(12.L) string >\0 (path %s)
266 >>24 bequad x \b, %lld bytes
267 >>32 belong 1 \b, AES-encrypted
270 # Using the existence of the Backing File Offset to determine whether
271 # to read Backing File Information
272 >>8 bequad >0 \b, has backing file
273 # Note that this isn't a null-terminated string; the length is actually
274 # (16.L). Assuming a null-terminated string happens to work usually, but it
275 # may spew junk until it reaches a \0 in some cases. Also, since there's no
276 # .Q modifier, we just use the bottom four bytes as an offset. Note that if
277 # the file is over 4G, and the backing file path is stored after the first 4G,
278 # the wrong filename will be printed. (This should be (8.Q), when that syntax
280 >>>(12.L) string >\0 (path %s)
281 >>24 bequad x \b, %lld bytes
282 >>32 belong 1 \b, AES-encrypted
284 >4 default x (unknown version)
286 0 string/b QEVM QEMU suspend to disk image
289 # https://wiki.qemu.org/Features/QED/Specification
290 0 string/b QED\0 QEMU QED Image
293 # Sun xVM VirtualBox Disk Image
294 # From: Richard W.M. Jones <rich@annexia.org>
295 # VirtualBox Disk Image
296 0x40 ulelong 0xbeda107f VirtualBox Disk Image
297 >0x44 uleshort >0 \b, major %u
298 >0x46 uleshort >0 \b, minor %u
300 >368 lequad x \b, %lld bytes
302 0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image,
303 >32 string x type %s,
304 >48 string x subtype %s
306 0 lelong 0x02468ace Bochs Sparse disk image
projects / FreeBSD / FreeBSD.git / blob