VMware Disk Access

Posted byKenyon HenslerPosted inUncategorized

I’m sure we’ve all used VM backup utilities that allow for access to base VMDKs for backups. There are a couple of way this works. Hotadd just adds a snapshotted disk to a backup proxy and it reads the base disk. You can backup via block or file this way. There are a couple of other ways as well. NBD connects over the network from the ESXi host. Same for NFC. Ok “so what” you may saying. Well I had an idea about agentless antivirus in AVS. Of course we don’t allow that. The customer does not have the required permissions to enable guest introspection except for use with the NSX-T Identity Firewall. After some quick digging in the VMware Virtual Disk Development Kit I found a sample application to mount a disk over NBD to another endpoint. So I pulled that up and found that with three commands you can get the disk mounted. The executable is in the /vmware-vix-disklib-distrib/doc/samples/diskLib directory.

export LD_LIBRARY_PATH=<DOWNLOADPATH>/vmware-vix-disklib-distrib/lib64
./vixMntapiSample -mount -host <VCENTER IP/FQDN> -user "<USERNAME>" -password "<PASSWORD>" -mode nbd -vm "moref=<VM-XXXX>" -thumb <VC CERT THUMB> "[DSNAME] folder/file.vmdk"

These two command tell the OS where to find the libraries for the application and then give all the vSphere details of the disk to mount. After running these the disks will be mounted under the path that is reported. The paths will be listed in the output of the second command. Somewhere in /tmp/vmware. You will need to open another shell as the application waits for input to unmount the disks. Once mounted you can read all the contents of the drive. This way you can either do a block backup of the device or a file backup or read whatever else you want to read from the disk. Now in AVS you can’t use NBD either so while cool this doesn’t solve my problem. But you can use hotadd. Just take a snapshot of the disk then add the base disk as an independent – non persistent disk to the existing VM do what you need and remove the disk from the VM. Hopefully I’ll have a github link with some examples soon.

Of course AV scanning the filesystem has many limitations and isn’t the same as in guest agent based solution but for this use case it seemed to be the closest I could come.

While doing this I thought this would be a great patent idea. But unfortunately for me Microsoft already had a patent for AV scanning of VM snapshots. https://patents.google.com/patent/US8011010B2/en. So while not novel definitely something to work on since we own the patent.

Leave a comment