Hi! Is it possible to read the MBR of an image and to store it inside a file? (If you want to know what I really want to do: Creating a report on all contents of an vm image. [1] [2] Create the image on two different machines, compare them and see, that there are no important differences besides temporary files.) Cheers, adrelanos [1] https://github.com/Whonix/Whonix/issues/113 [2] https://github.com/Whonix/Whonix/blob/master/release/analyze_image
On Fri, Nov 22, 2013 at 01:58:24PM +0000, adrelanos wrote:> Hi! > > Is it possible to read the MBR of an image and to store it inside a file?Yes, easily :-) guestfish --ro -a disk.img run : pread-device /dev/sda 512 0 > mbr This will work for any format of disk. Of course for a raw format disk this is just a slower way of reading the first 512 bytes from the raw file. Since what you want are simply virtual sectors from a disk image, it could be quicker to use qemu-io. Something like this: qemu-io -c 'read -v 0 512' disk.img (Unfortunately the format returned by qemu-io is a hexdump which is not exactly useful ... I can't work out how to get it to dump the raw bytes but there may be a way.)> (If you want to know what I really want to do: > Creating a report on all contents of an vm image. [1] [2] Create the > image on two different machines, compare them and see, that there are > no important differences besides temporary files.) > > Cheers, > adrelanos > > [1] https://github.com/Whonix/Whonix/issues/113 > [2] https://github.com/Whonix/Whonix/blob/master/release/analyze_imageYou might also want to take a look at virt-ls (although that *only* compares files, not the other data outside the filesystem): http://libguestfs.org/virt-ls.1.html#differences-in-snapshots-and-backing-files I keep meaning to write a comprehensive "virt-diff" tool. I needed it myself just yesterday. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
what about just using dd? dd if=disk.img of=mbr bs=512b count=1 On Fri, 2013-11-22 at 16:24 +0000, Richard W.M. Jones wrote:> On Fri, Nov 22, 2013 at 01:58:24PM +0000, adrelanos wrote: > > Hi! > > > > Is it possible to read the MBR of an image and to store it inside a file? > > Yes, easily :-) > > guestfish --ro -a disk.img run : pread-device /dev/sda 512 0 > mbr > > This will work for any format of disk. Of course for a raw format > disk this is just a slower way of reading the first 512 bytes from the > raw file. > > Since what you want are simply virtual sectors from a disk image, it > could be quicker to use qemu-io. Something like this: > > qemu-io -c 'read -v 0 512' disk.img > > (Unfortunately the format returned by qemu-io is a hexdump which is > not exactly useful ... I can't work out how to get it to dump the raw > bytes but there may be a way.) > > > (If you want to know what I really want to do: > > Creating a report on all contents of an vm image. [1] [2] Create the > > image on two different machines, compare them and see, that there are > > no important differences besides temporary files.) > > > > Cheers, > > adrelanos > > > > [1] https://github.com/Whonix/Whonix/issues/113 > > [2] https://github.com/Whonix/Whonix/blob/master/release/analyze_image > > You might also want to take a look at virt-ls (although that *only* > compares files, not the other data outside the filesystem): > > http://libguestfs.org/virt-ls.1.html#differences-in-snapshots-and-backing-files > > I keep meaning to write a comprehensive "virt-diff" tool. I needed it > myself just yesterday. > > Rich. >-- ---------------------------------------------------------------------------- Jason A. Kates (jason@kates.org) Fax: 208-975-1514 Phone: 660-960-0070 ============================================================================
adrelanos
2013-Nov-22 17:56 UTC
[Libguestfs] Auditing a vm image - virt-diff - was: Read MBR and store in a file?
Thank you all for your suggestions! Richard W.M. Jones:> I keep meaning to write a comprehensive "virt-diff" tool. I needed it > myself just yesterday.Most interesting. I guess there are two reasons for creating such a tool: just compare the images (show the diff) and/or check for malicious additions in the other image. Did you consider implementing the former or both? Do you think it's realistic to compare vm images with the goal of eventually finding deliberately hard to detect (malicious) changes? At the moment I am not trying to write a virt-diff like tool, but something simpler. A tool to create a report of all of a vm image's contents. (Checksums for all files, filesystem, for MBR and Volume Boot Record.) When publishing VM images, it might be useful to publish such a report together with the image, so others who re-build from source can be certain, they ended up with a very similar image. When having created two such reports, one could easily get a virt-diff like tool.> although that *only* > compares files, not the other data outside the filesystemWhat other data can there be outside the filesystem? I can think of: - MBR - Volume Boot Record Anything else? If these have been compared, the compared image should be as safe to use as the original one? (I could imagine that there can be extra data outside filesystem, maybe in regions outside the partition table, but those data shouldn't get executed after starting the image in a VM.) Cheers, adrelanos
Possibly Parallel Threads
- Re: Auditing a vm image - virt-diff - was: Read MBR and store in a file?
- Read MBR and store in a file?
- Re: Auditing a vm image - virt-diff - was: Read MBR and store in a file?
- hivexml - Flattened vs. Expanded XML
- Re: [PATCH 2/3] added icat API to retrieve deleted or inaccessible files