People who were considering this issue drank and still have not commented or answered, so I did a little work.
We got the following conclusions (which ultimately answer my question):
1. When creating a XXX GB virtual hard disk with a VMware file (.VMDK file), it can be one of two types: flat or sparse (they can also be divided into several .VMDK files, but I did not consider them in my research).
- flat = all hard disk space (XXX GB) is allocated once during creation.
The .VMDK file size on the disk is XXX GB.
- sparse = the file on the hard disk is consumed (up to XXX GB).
The .VMDK file size is small at the beginning and grows if necessary.
As I said in my question in the additional info, both .VMDK were sparse .
2. As mentioned in the question, the MBR is at the beginning of the first sector of the physical hard disk , and I wondered where it is in the .VMDK file and how VMware calculates it.
It turns out that on a flat .VMDK file, it is also at the beginning of the first sector!
This is a pretty direct introduction when you look at them ... but mine were not flat. So what happens in rare .vmdk? where is the mbr?
The 3.sparse.vmdk file has a different structure (for a detailed structure, you can read the VMware virtual disk specification with an emphasis on struct SparseExtentHeader.
Could not find the logic of how MBR \ first sector is calculated, but as far as I saw (explained in 5 how I got to it), it looks like this:
@ .VMDK offset 0x38 - 0x3F (8 bytes in length) sits gdOffset.it stores the offset (****) of metadata.
The first 4 bytes of metadata are the next offset (****) to go to.
There, the next 4 bytes are the offset (****) of the MBR .
(****) means displacement in sectors. for example 1 means offset 512, 2 means 1024, etc.
To summarize everything, it looks like this:
Say, "data stored at offsets 0x38-0x3F (8 bytes in length)", as [(0x38): 8].
Then,
MBR Offset = 512 X [(512 X [(512 X [(0x38): 8]): 4]): 4]
4. I created 2 new VMs (Windows xp and Linux) with sparse .VMDK, and this method of calculating MBR also showed itself to both of them (as you can see in the attached images in 7).
5. How did I get to this formula?
Using SysInternal Process Monitor when filtering:
-Process contains vmware
-Operation - CreateFile \ ReadFile
-Path contains <.vmdk file path>
I got every .vmdk read (and it is biased).
I looked where he reads the MBR offset (on Linux, I knew that the offset was 0x2A0000), and what he already read before. Jumped to the offsets, which looked as if they would help me understand what was happening there .. and they certainly did :)
6. What I did not explain is why the MBR in the xp system in my original question was a strange bias (which cannot be divided by 512).
Well, to be honest, I donβt have a complete reason, but I forgot to mention that before MBR checks I removed the original MBR from this system and powered up the virtual machine. He asked me if I want to run windows normally, and only then did he appear at a strange bias (copied it there for backup or something else). The strange thing here is that I could not find this MBR at normal offset. I had some progress, but no solid answer.
If anyone knows, feel free to comment (:
7. Attached Images:
