dissect.hypervisor.descriptor.vmx
¶
Module Contents¶
Classes¶
Attributes¶
- dissect.hypervisor.descriptor.vmx.HAS_PYSTANDALONE = True¶
- dissect.hypervisor.descriptor.vmx.HAS_PYCRYPTODOME = True¶
- dissect.hypervisor.descriptor.vmx.CIPHER_KEY_SIZES¶
- dissect.hypervisor.descriptor.vmx.HMAC_MAP¶
- dissect.hypervisor.descriptor.vmx.PASS2KEY_MAP¶
- class dissect.hypervisor.descriptor.vmx.VMX(attr: dict[str, str])¶
- attr¶
- property encrypted: bool¶
Return whether this VMX is encrypted.
Encrypted VMXs will have both a
encryption.keySafe
andencryption.data
value. Theencryption.keySafe
is a string encodedKeySafe
, which is made up of key locators.For example:
vmware:key/list/(pair/(phrase/phrase_id/phrase_content,hmac,data),pair/(.../...,...,...))
A
KeySafe
must be a list ofPairs
. EachPair
has a wrapped key, an HMAC type and encrypted data. It’s implementation specific how to unwrap a key. E.g. a phrase is just PBKDF2. The unwrapped key can be used to unlock the encryptedPair
data. This will contain the final encryption key to decrypt the data inencryption.data
.So, in summary, to unseal a
KeySafe
:Parse
KeySafe
Iterate pairs
Unlock
Pair
Unwrap key (e.g.
Phrase
)Decrypt
Pair
dataParse dictionary
The terms for unwrapping, unlocking and unsealing are taken from VMware.
- unlock_with_phrase(passphrase: str) None ¶
Unlock this VMX in-place with a passphrase if it’s encrypted.
This will load the
KeySafe
from the current dictionary and attempt to recover the encryption key from it using the given passphrase. This key is used to decrypt the encrypted VMX data.The dictionary is updated in-place with the encrypted VMX data.
- disks() list[str] ¶
Return a list of paths to disk files
- class dissect.hypervisor.descriptor.vmx.KeySafe(locators: list[Pair])¶
- locators¶
- class dissect.hypervisor.descriptor.vmx.Pair(wrapped_key: Phrase, mac: str, data: bytes)¶
- wrapped_key¶
- mac¶
- data¶
- __repr__() str ¶
- has_phrase() bool ¶
Return whether this
Pair
is aPhrase
pair.