PaulDotCom mailing list archives

Re: accessing unallocated VM disk areas


From: Robin Wood <robin () digininja org>
Date: Mon, 29 Apr 2013 22:28:58 +0100

On 29 April 2013 18:48, Spectre 03 <spectre03 () gmail com> wrote:

Robin can you clarify what disk type your target is?

Any, don't mind. I was just wondering.


For VMDK format the answer is in the spec, but likely is also somewhat
implementation specific. For VMDK's the spec calls out "Extents" that would
be used (which basically amount to each extent being a file in multi file
configurations) and each extent is responsible for it's own range of data
based on it's offset from the anchor file. So if I look at a VM built with
my VMWare install it creates files for the entire disk. I have several of
the low numbered files that are 1.xGb but many are ~300K in size with an
odd 1.7Gb in the middle of the ~300K files. So the extents are already
defined and would appear to be allowed arbitrary write without filling the
disk.

The Spec says in what is known as a sparse extent that data storage space
is not allocated in advance and instead is allocated as needed. A sparse
extent is also supposed to keep track of whether or not data is represented
within the extent. I haven't looked, but that would tell me that there is
some sort of allocation table in each extent.


Could you explain what that means in relation to my question. If I try to
read from the last sector of the disk and that hasn't been allocated yet
what do I get back? If I try to write to it, in your example, would the
file jump from 300K to 2G (assuming that is the block size) so that it
covers the last sector or would the data just get added onto the end of the
300K and get mapped in as necessary?

Robin



On Mon, Apr 29, 2013 at 4:09 AM, Robin Wood <robin () digininja org> wrote:

I had this random thought last night that I don't have time to test out
so was wondering if anyone else knew the answer...

When you create a disk in VirtualBox it lets you create it as a
dynamically growing one so that the file on host disk starts small but
grows as you write more data into it from the guest. If in the guest you
try to read areas of the disk which have not yet been created, for example
by using dd to clone the whole disk, what do you get from the areas which
haven't yet been created?

I'd guess it would be either nulls or random stuff but just wondering. I
could lab it up but don't have time at the moment.

What if you use direct disk write to write to the last sector? Does the
whole disk then get created on the host or does it do some smart
allocation? Or does it just crash?

Does VMWare behave the same? Could checking this space be a way to try to
identify if you are in a VM? I know there are other, better, ways but the
more options you have the better.

Robin

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread: