xref: /dragonfly/contrib/file/magic/Magdir/virtual (revision 739f0ef867128a933e021db3d831e906fcafd825)
1
2#------------------------------------------------------------------------------
3# $File: virtual,v 1.17 2022/08/23 08:00:54 christos Exp $
4# From: James Nobis <quel@quelrod.net>
5# Microsoft hard disk images for:
6# Virtual Server
7# Virtual PC
8# VirtualBox
9# URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk)
10# Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/
11# Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc
120         string    conectix  Microsoft Disk Image, Virtual Server or Virtual PC
13# alternative shorter names
14#0        string    conectix  Microsoft Virtual Hard Disk image
15#0        string    conectix  Microsoft Virtual HD image
16!:mime    application/x-virtualbox-vhd
17!:ext   vhd
18# Features is a bit field used to indicate specific feature support
19#>8       ubelong             !0x00000002         \b, Features %#x
20# Reserved. This bit must always be set to 1.
21#>8       ubelong             &0x00000002         \b, Reserved %#x
22# File Format Version for the current specification 0x00010000
23#>12      ubelong             !0x00010000         \b, Version %#8.8x
24# Data Offset only found 0x200
25#>16      ubequad             !0x200              \b, Data Offset %#llx
26#>16      ubequad             x                   \b, at %#llx
27# Dynamic Disk Header cookie like cxsparse
28#>(16.Q)  string              x                   "%-.8s"
29# This field contains a Unicode string (UTF-16) of the parent hard disk filename
30#>(16.Q+64)         ubequad   x                   \b, parent name %#llx
31# Creator Application
32# vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd
33>28       string              x                   \b, Creator %-4.4s
34# Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004
35# holds the major/minor version of the application that created the image
36>32       ubeshort  x                   %x
37>34       ubeshort  x                   \b.%x
38#>32      ubelong             x                   \b, Version %#8.8x
39# Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac)
40>36       ubelong             x                   (
41>>36      ubelong             0x5769326B          \bW2k
42>>36      ubelong             0x4D616320          \bMac
43>>36      default             x                   \b0x
44>>>36     ubelong             x                   \b%8.8x
45# creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch
46>24       bedate+946684800    x         \b) %s
47# Original Size
48#>40      ubequad             x                   \b, o.-Size %#llx
49# Current Size is same as original size, but change when disk is expanded
50#>48      ubequad             x                   \b, Size %#llx
51>48       ubequad             x                   \b, %llu bytes
52# Disk Geometry: cylinder, heads, and sectors/track for hard disk
53#>56      ubeshort  x                   \b, Cylinder %#x
54>56       ubeshort  x                   \b, CHS %u
55# Heads
56#>58      ubyte               x                   \b, Heads %#x
57>58       ubyte               x                   \b/%u
58# Sectors per track
59#>59      ubyte               x                   \b, Sectors %#x
60>59       ubyte               x                   \b/%u
61# Disk Type: 3~Dynamic hard disk
62>60       ubelong             !0x3                \b, type %#x
63# Checksum
64#>64      ubelong             x                   \b, cksum %#x
65# universally unique identifier (UUID) to associate a parent with its differencing image
66#>68      ubequad             x                   \b, id %#16.16llx
67#>76      ubequad             x                   \b-%16.16llx
68# Saved State: 1~Saved State
69>84       ubyte               !0                  \b, State %#x
70# Reserved 427 bytes with nils
71#>85      ubequad   !0                            \b, Reserved %#16.16llx
72
73# From: Joerg Jenderek
74# URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx
75# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/
76# MS-VHDX/[MS-VHDX].pdf
77# Note: extends the VHD format with new capabilities, such as a 16TB maximum size
78# TODO:   find and display values like virtual size, disk size, cluster_size, etc
79#         display id in GUID format
80#
81# VHDX_FILE_IDENTIFIER signature 0x656C696678646876
820         string                        vhdxfile
83# VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB
84>0x10000  string              head                Microsoft Disk Image eXtended
85#>0x20000 string                        head      \b, 2nd header
86#!:mime   application/x-virtualbox-vhdx
87!:ext     vhdx
88# Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512"
89>>8                 lestring16                    x         \b, by %.256s
90# The Checksum field is a CRC-32C hash over the entire 4 KB structure
91#>>0x10004          ulelong                       x         \b, CRC %#x
92# SequenceNumber
93>>0x10008 ulequad                       x         \b, sequence %#llx
94# FileWriteGuid
95#>>0x10010          ubequad                       x         \b, file id %#llx
96#>>>0x10018         ubequad                       x         \b-%llx
97# DataWriteGuid
98#>>0x10020          ubequad                       x         \b, data id %#llx
99#>>>0x10028         ubequad                       x         \b-%llx
100# LogGuid. If this field is zero, then the log is empty or has no valid entries
101>>0x10030 ubequad                       >0        \b, log id %#llx
102>>>0x10038          ubequad                       x         \b-%llx
103# LogVersion. If not 0 there is a log to replay
104>>0x10040 uleshort            >0        \b, LogVersion %#x
105# Version. This field must be set to 1
106>>0x10042 uleshort            !1        \b, Version %#x
107# LogLength must be multiples of 1 MB
108>>0x10044 ulelong/1048576               >1        \b, LogLength %u MB
109# LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB
110>>0x10048 ulequad                       !0x100000 \b, LogOffset %#llx
111# Log Entry Signature must be 0x65676F6C~loge
112>>(0x10048.q)       ulelong                       !0x65676F6C \b, NO Log Signature
113>>(0x10048.q)       ulelong                       =0x65676F6C         \b; LOG
114# Log Entry Checksum
115#>>>(0x10048.q+4)   ulelong             x         \b, Log CRC %#x
116# Log Entry Length must be a multiple of 4 KB
117>>>(0x10048.q+8)    ulelong/1024        >4        \b, EntryLength %u KB
118# Log Entry Tail must be a multiple of 4 KB
119#>>>(0x10048.q+12)  ulelong             x         \b, Tail %#x
120# Log Entry SequenceNumber
121#>>>(0x10048.q+16)  ulequad             x         \b, # %#llx
122# Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8
123#>>>(0x10048.q+24)  ulelong             x         \b, DescriptorCount %#llx
124# Log Entry Reserved must be set to 0
125>>>(0x10048.q+28)   ulelong             !0        \b, Reserved %#x
126# Log Entry LogGuid
127#>>>(0x10048.q+32)  ubequad             x         \b, Log id %#llx
128#>>>(0x10048.q+40)  ubequad             x         \b-%llx
129# Log Entry FlushedFileOffset should VHDX size when entry is written.
130#>>>(0x10048.q+48)  ulequad             x         \b, FlushedFileOffset %llu
131# Log Entry LastFileOffset
132#>>>(0x10048.q+56)  ulequad             x         \b, LastFileOffset %llu
133# filling
134#>>>(0x10048.q+64)  ulequad             >0        \b, filling %llx
135# Reserved[4016]
136#>>0x10050          ulequad                       >0        \b, Reserved %#llx
137# VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB
138>0x30000  ulelong                       !0x69676572 \b, 1st region INVALID
139>0x30000  ulelong                       =0x69676572 \b; region
140# region Checksum. CRC-32C hash over the entire 64-KB table
141#>>0x30004          ulelong                       x         \b, CRC %#x
142# The EntryCount specifies number of valid entries; Found 2; This must be =< 2047.
143>>0x30008 ulelong                       x         \b, %u entries
144# reserved must be zero
145#>>0x3000C          ulelong                       !0        \b, RESERVED %#x
146# Region Table Entry starts with identifier for the object. often BAT id
147>>0x30010 use                           vhdx-id
148# FileOffset
149>>0x30020 ulequad             x                   \b, at %#llx
150# Length. Specifies the length of the object within the file
151#>>0x30028          ulelong             x                   \b, Length %#x
152# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
153>>0x3002C ulelong             x                   \b, Required %u
154# 2nd region entry often metadata id
155>>0x30030 use                           vhdx-id
156# 2nd entry FileOffset
157>>0x30040 ulequad             x                   \b, at %#llx
158# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX
159>>0x3004C ulelong             x                   \b, Required %u
160# 2nd region
161>>0x40000 ulelong             !0x69676572         \b, 2nd region INVALID
162# check in vhdx images for known id and show names instead hexadecimal
1630         name                vhdx-id
164# https://www.windowstricks.in/online-windows-guid-converter
165# 2DC27766-F623-4200-9D64-115E9BFD4A08            BAT GUID
166# 6677C22D23F600429D64115E9BFD4A08                BAT ID
167>0        ubequad             =0x6677C22D23F60042
168>>8       ubequad             =0x9D64115E9BFD4A08 \b, id BAT
169# no BAT id
170>>8       default             x
171>>>0      use                 vhdx-id-hex
172# 8B7CA206-4790-4B9A-B8FE-575F050F886E            Metadata region GUID
173# 06A27C8B90479A4BB8FE575F050F886E                Metadata region ID
174>0        ubequad             =0x06A27C8B90479A4B
175>>8       ubequad             =0xB8FE575F050F886E \b, id Metadata
176# no Metadata id
177>>8       default             x
178>>>0      use                 vhdx-id-hex
179# 2FA54224-CD1B-4876-B211-5DBED83BF4B8            Virtual Disk Size GUID
180# 2442A52F1BCD7648B2115DBED83BF4B8                Virtual Disk Size ID
181# value "virtual size" can be verified by command `qemu-img info `
182>0        ubequad             =0x2442A52F1BCD7648
183>>8       ubequad             =0xB2115DBED83BF4B8 \b, id vsize
184# no Virtual Disk Size ID
185>>8       default             x
186>>>0      use                 vhdx-id-hex
187# other ids
188>0        default             x
189>>0       use                 vhdx-id-hex
190# in vhdx images show id as hexadecimal
1910         name                vhdx-id-hex
192>0        ubequad             x                             \b, ID %#16.16llx
193>8        ubequad             x                             \b-%16.16llx
194#
195# libvirt
196# From: Philipp Hahn <hahn@univention.de>
1970         string    LibvirtQemudSave    Libvirt QEMU Suspend Image
198>0x10     lelong    x         \b, version %u
199>0x14     lelong    x         \b, XML length %u
200>0x18     lelong    1         \b, running
201>0x1c     lelong    1         \b, compressed
202
2030         string    LibvirtQemudPart    Libvirt QEMU partial Suspend Image
204# From: Alex Beregszaszi <alex@fsn.hu>
2050         string/b  COWD                VMWare3
206>4        byte      3                   disk image
207>>32      lelong    x                   (%d/
208>>36      lelong    x                   \b%d/
209>>40      lelong    x                   \b%d)
210>4        byte      2                   undoable disk image
211>>32      string    >\0                 (%s)
212
2130         string/b  VMDK                 VMware4 disk image
2140         string/b  KDMV                 VMware4 disk image
215
216#--------------------------------------------------------------------
217# Qemu Emulator Images
218# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
219# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
220# Made by reading sources, reading documentation, and doing trial and error
221# on existing QCOW files
2220         string/b  QFI\xFB   QEMU QCOW Image
223!:mime    application/x-qemu-disk
224
225# Uncomment the following line to display Magic (only used for debugging
226# this magic number)
227#>0       string/b  x         , Magic: %s
228
229# There are currently 2 Versions: "1" and "2".
230# https://www.gnome.org/~markmc/qcow-image-format-version-1.html
231>4        belong              x         (v%d)
232
233# Using the existence of the Backing File Offset to determine whether
234# to read Backing File Information
235>>12      belong     >0        \b, has backing file (
236# Note that this isn't a null-terminated string; the length is actually
237# (16.L). Assuming a null-terminated string happens to work usually, but it
238# may spew junk until it reaches a \0 in some cases.
239>>>(12.L)  string >\0         \bpath %s
240
241# Modification time of the Backing File
242# Really useful if you want to know if your backing
243# file is still usable together with this image
244>>>>20    bedate >0 \b, mtime %s)
245>>>>20    default x \b)
246
247# Size is stored in bytes in a big-endian u64.
248>>24      bequad    x          \b, %lld bytes
249
250# 1 for AES encryption, 0 for none.
251>>36      belong    1         \b, AES-encrypted
252
253# https://www.gnome.org/~markmc/qcow-image-format.html
254>4        belong    2         (v2)
255# Using the existence of the Backing File Offset to determine whether
256# to read Backing File Information
257>>8       bequad  >0           \b, has backing file
258# Note that this isn't a null-terminated string; the length is actually
259# (16.L). Assuming a null-terminated string happens to work usually, but it
260# may spew junk until it reaches a \0 in some cases. Also, since there's no
261# .Q modifier, we just use the bottom four bytes as an offset. Note that if
262# the file is over 4G, and the backing file path is stored after the first 4G,
263# the wrong filename will be printed. (This should be (8.Q), when that syntax
264# is introduced.)
265>>>(12.L)  string >\0         (path %s)
266>>24      bequad    x         \b, %lld bytes
267>>32      belong    1         \b, AES-encrypted
268
269>4        belong    3         (v3)
270# Using the existence of the Backing File Offset to determine whether
271# to read Backing File Information
272>>8       bequad  >0           \b, has backing file
273# Note that this isn't a null-terminated string; the length is actually
274# (16.L). Assuming a null-terminated string happens to work usually, but it
275# may spew junk until it reaches a \0 in some cases. Also, since there's no
276# .Q modifier, we just use the bottom four bytes as an offset. Note that if
277# the file is over 4G, and the backing file path is stored after the first 4G,
278# the wrong filename will be printed. (This should be (8.Q), when that syntax
279# is introduced.)
280>>>(12.L)  string >\0         (path %s)
281>>24      bequad    x         \b, %lld bytes
282>>32      belong    1         \b, AES-encrypted
283
284>4        default x (unknown version)
285
2860         string/b  QEVM                QEMU suspend to disk image
287
288# QEMU QED Image
289# https://wiki.qemu.org/Features/QED/Specification
2900         string/b  QED\0               QEMU QED Image
291
292# VDI Image
293# Sun xVM VirtualBox Disk Image
294# From: Richard W.M. Jones <rich@annexia.org>
295# VirtualBox Disk Image
2960x40      ulelong             0xbeda107f          VirtualBox Disk Image
297>0x44     uleshort  >0                  \b, major %u
298>0x46     uleshort  >0                  \b, minor %u
299>0        string              >\0                 (%s)
300>368      lequad              x                    \b, %lld bytes
301
3020         string/b  Bochs\ Virtual\ HD\ Image     Bochs disk image,
303>32       string    x                                       type %s,
304>48       string    x                                       subtype %s
305
3060         lelong    0x02468ace                              Bochs Sparse disk image
307
308