dissect.hypervisor.descriptor.vmx

Module Contents

Classes

VMX

KeySafe

Pair

Phrase

Attributes

HAS_PYSTANDALONE

HAS_PYCRYPTODOME

CIPHER_KEY_SIZES

HMAC_MAP

PASS2KEY_MAP

dissect.hypervisor.descriptor.vmx.HAS_PYSTANDALONE = True
dissect.hypervisor.descriptor.vmx.HAS_PYCRYPTODOME = True
dissect.hypervisor.descriptor.vmx.CIPHER_KEY_SIZES
dissect.hypervisor.descriptor.vmx.HMAC_MAP
dissect.hypervisor.descriptor.vmx.PASS2KEY_MAP
class dissect.hypervisor.descriptor.vmx.VMX(attr: dict[str, str])
attr
classmethod parse(string: str) VMX

Parse a VMX dictionary from a string.

property encrypted: bool

Return whether this VMX is encrypted.

Encrypted VMXs will have both a encryption.keySafe and encryption.data value. The encryption.keySafe is a string encoded KeySafe, which is made up of key locators.

For example:

vmware:key/list/(pair/(phrase/phrase_id/phrase_content,hmac,data),pair/(.../...,...,...))

A KeySafe must be a list of Pairs. Each Pair has a wrapped key, an HMAC type and encrypted data. It’s implementation specific how to unwrap a key. E.g. a phrase is just PBKDF2. The unwrapped key can be used to unlock the encrypted Pair data. This will contain the final encryption key to decrypt the data in encryption.data.

So, in summary, to unseal a KeySafe:

  • Parse KeySafe

  • Iterate pairs

  • Unlock Pair

  • Unwrap key (e.g. Phrase)

  • Decrypt Pair data

  • Parse dictionary

The terms for unwrapping, unlocking and unsealing are taken from VMware.

unlock_with_phrase(passphrase: str) None

Unlock this VMX in-place with a passphrase if it’s encrypted.

This will load the KeySafe from the current dictionary and attempt to recover the encryption key from it using the given passphrase. This key is used to decrypt the encrypted VMX data.

The dictionary is updated in-place with the encrypted VMX data.

disks() list[str]

Return a list of paths to disk files

class dissect.hypervisor.descriptor.vmx.KeySafe(locators: list[Pair])
locators
unseal_with_phrase(passphrase: str) bytes

Unseal this KeySafe with a passphrase and return the decrypted key.

classmethod from_text(text: str) KeySafe

Parse a KeySafe from a string.

class dissect.hypervisor.descriptor.vmx.Pair(wrapped_key: Phrase, mac: str, data: bytes)
wrapped_key
mac
data
__repr__() str
has_phrase() bool

Return whether this Pair is a Phrase pair.

unlock(*args, **kwargs) bytes

Helper method to unlock this Pair for various wrapped keys.

Currently only supports Phrase.

unlock_with_phrase(passphrase: str) bytes

Unlock this Pair with a passphrase and return the decrypted data.

class dissect.hypervisor.descriptor.vmx.Phrase(id: str, pass2key: str, cipher: str, rounds: int, salt: bytes)
id
pass2key
cipher
rounds
salt
__repr__() str
unwrap(passphrase: str) bytes

Unwrap/generate the encryption key for a given passphrase.

VMware calls this unwrapping, but really it’s a KDF with the properties of this Phrase.