[File] [PATCH] of Magdir/virtual for Microsoft Disk Image eXtended (*.vhdx)

Christos Zoulas christos at zoulas.com
Sat Dec 15 19:00:26 UTC 2018 

On Dec 15,  6:00pm, joerg.jen.der.ek at gmx.net (=?UTF-8?Q?J=c3=b6rg_Jenderek?=) wrote:
-- Subject: [File] [PATCH] of Magdir/virtual for Microsoft Disk Image eXtende

| Hello,
| 
| some days ago i run the file command 5.35 on my disc images. Disc images
| with name extension vhdx are described only as "data".
| 
| VHDX (Virtual Hard Disk v2) is the successor format to VHD. So i add new
| lines in Magdir/virtual after VHD entry. On microsoft servers
| information about that file format can be found. So i add reference URL
| to document [MS-VHDX].pdf with date 9/12/2018 and with title "Virtual
| Hard Disk v2 (VHDX) File Format".
| 
| According to Microsoft documentation such images start with the
| VHDX_FILE_IDENTIFIER signature 0x656C696678646876. This becomes first
| magic line:
|  0	string			vhdxfile
| To distinguish disc image from ASCII text starting with phrase
| "vhdxfile" i look for more characteristics. According to docs header
| part is stored at offset 64KB and at 128KB. These start with VHDX_HEADER
| signature "head". This now used as
|  >0x10000	string		head	Microsoft Disk Image eXtended
| 
| Afterwards the name of the creator of the VHDX file is stored as
| UTF-16. So names like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512"
| are also shown by line
|  >>8		lestring16		x	\b, by %.256s
| 
| Second field in header part is a CRC-32C hash over the entire 4 KB
| structure. So i add line like
|  #>>0x10004	ulelong			x	\b, CRC 0x%x
| Because this information is not so useful for "normal" users i add this
| as a comment line. I also handle other field in the same way.
| 
| Luckily now newer file versions support quad pointers. So it is possible
| to peek inside the Log Entry section. To check for the existence of log
| entry look for signature value (0x65676F6C~loge) by lines:
|  >>(0x10048.q)	ulelong			!0x65676F6C \b, NO Log Signature
|  >>(0x10048.q)	ulelong			=0x65676F6C \b; LOG
| 
| I tried to get the value for the virtual size of image, which is also
| shown by command like `qemu-img info`. This is stored as VirtualDiskSize
| by Virtual Disk Size GUID at different offsets. Unfortunately i am not
| smart enough to program this part. From region section get info to jump
| to metadata section. I can do this step. Then in metadata Table look for
| the entry with wanted GUID. Yes i can do this. Now get value by looking
| at offset relative to beginning of metadata. There i fail. May be
| another person is clever to do this.
| So i keep first steps starting with displayed phrase "region". But this
| information is normally not of interest for users.
| 
| After applying the above mentioned modifications by patch
| file-5.35-virtual-vhdx.diff then all such disk images are described by
| Magdir/virtual like:
| 
| Esp.vhdx:
| 	Microsoft Disk Image eXtended,
| 	by Microsoft Windows 6.3.9600.18512, sequence 0x14;
| 	LOG; region, 2 entries,
| 	id BAT, at 0x300000, Required 1,
| 	id Metadata, at 0x200000, Required 1
| qemu16MB-dynamic.vhdx:
| 	Microsoft Disk Image eXtended,
| 	by QEMU v3.0.0, sequence 0x1993d0b2,
| 	NO Log Signature; region, 2 entries,
| 	id BAT, at 0x200000, Required 0,
| 	id Metadata, at 0x300000, Required 0
| qemu16MB-fixed.vhdx:
| 	Microsoft Disk Image eXtended,
| 	by QEMU v3.0.0, sequence 0x9897bc4c,
| 	NO Log Signature; region, 2 entries,
| 	id BAT, at 0x200000, Required 0,
| 	id Metadata, at 0x300000, Required 0
| qemu24MB-logsize2M.vhdx:
| 	Microsoft Disk Image eXtended,
| 	by QEMU v3.0.0, sequence 0x675f22b0,
| 	LogLength 2 MB, NO Log Signature; region, 2 entries,
| 	id BAT, at 0x300000, Required 0,
| 	id Metadata, at 0x400000, Required 0
| \VM\FISCH_C.VHDX:
| 	Microsoft Disk Image eXtended,
| 	by d2v, sequence 0xa;
| 	LOG; region, 2 entries,
| 	id Metadata, at 0x200000, Required 1,
| 	id BAT, at 0x300000, Required 1
| \temp\vhdx24mb.vhdx:
| 	Microsoft Disk Image eXtended,
| 	by Microsoft Windows 6.3.9600.18512, sequence 0x8;
| 	LOG; region, 2 entries,
| 	id BAT, at 0x300000, Required 1,
| 	id Metadata, at 0x200000, Required 1
| 
| I hope my diff file can be applied in future version of
| file utility.

Thank you, committed.

christos

More information about the File mailing list