Skip to content

Velocidex/go-vhdx

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
bin
bin
 
 
parser
parser
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

VHDX Parser

Based on documentation from https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-vhdx/83e061f8-f6e2-4de1-91bd-5d518a43d477

This parser is used by Velociraptor's vhdx accessor. Example of use in VQL:

SELECT OSPath.Path AS OSPath, Size, Mode.String
FROM glob(
  globs="*", accessor="raw_ntfs", root=pathspec(
     Path="/",
     DelegateAccessor="offset",
     DelegatePath=pathspec(
         Path="/65536",
         DelegateAccessor="vhdx",
         DelegatePath="/tmp/test.vhdx")))

Testing locally

There is a small tool that allows inspection of the VHDX volume:

The following will print some information about internal data structures and metadata.

govhdx parse test.vhdx

The following will dump the image into stdout and redirect to a flat dd file.

govhdx cat test.vhdx > test.dd

About

A library to parse VHDX files

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages