EIP=0x41414141

hacking, reversing and other stuff

Dec 31, 2021 - 2 minute read - dfir desinfect vhdx AV

Vhdx on Desinfect

I recently had the case that i wanted to scan a image of a virtualized domain controler (DC) with desinfect. I got the VHDX image of the virtualized DC on a NTFS formated harddrive.

In this article i will explain how to use desinfect with VHDX Images for virtual hosts.

install required software on desinfect

There are two software packages that are required: qemu-utils and nbd-client. The first one is already present in desinfect, the second one needs to be installed manually. You can download the debian package of nbd-client from https://packages.ubuntu.com/focal/nbd-client, choose the variant of the computer architecture you are useing, usually amd64.

For AMD64 architecture you can do the following, in order to download and install the nbd-client package:

cd ~/Downloads
wget -O -J http://de.archive.ubuntu.com/ubuntu/pool/universe/n/nbd/nbd-client_3.20-1_amd64.deb
sudo dpkg -i nbd-client_3.20-1_amd64.deb

Download the mount and umount script

You have two options to download the vhdx mount and umount scripts. Either you are useing git, as explaind in the follwoing section or you just download them from the raw gist manually, as explained in the other section below.

useing git

cd ~/Downloads
git clone https://gist.github.com/86cc5ba5dfbb694d7ccf675d735541b7.git vhdx_mount

manaually download

mkdir -p ~/Downloads/vhdx_mount
cd ~/Downloads/vhdx_mount
wget -O -J https://gist.githubusercontent.com/scusi/86cc5ba5dfbb694d7ccf675d735541b7/raw/0fbeb531caa4f4f7bd1b4c91bd9b1f444cbe2769/mount_vhdx.sh
wget -O -J https://gist.githubusercontent.com/scusi/86cc5ba5dfbb694d7ccf675d735541b7/raw/0fbeb531caa4f4f7bd1b4c91bd9b1f444cbe2769/unmount_vhdx.sh

mount the harddrive with the VHDX Images

I assume a few things for the following example:

  • your harddrive that contains the VHDX Images is /dev/sdd1 in your system.
  • the harddrive has an NTFS filesystem
  • the mount point you mount this harddrive to is /mnt/my_drive.

You need to adjust the above assumptions according to your preferences and actual values.

sudo mkdir -p /mnt/my_drive
sudo mount -t ntfs /dev/sdd1 /mnt/my_drive

mount the VHDX image

sudo mkdir -p /mnt/vhdx_mountpoint
sudo ~/Downloads/vhdx_mount/mount_vhdx.sh /mnt/my_drive/my_vhdx_image.vhdx /mnt/vhdx_mountpoint

scan the VHDX image or parts thereof

Now you can start a normal scan process to scan the content of the mounted vhdx image or a part thereof. Choose to scan a folder and navigate to /mnt/vhdx_mountpoint or any directory underneth of it.

desinfect choose folder to scan

happy hunting with desinfect!