search

ArsenalRecon / Arsenal-Image-Mounter

Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.
https://ArsenalRecon.com/weapons/image-mounter
Other
496 stars 85 forks source link

Unable to mount multiple VMDK disks sequentially with aim_cli.exe on Windows Server2022 #44

Closed Gregus1998 closed 6 months ago

Gregus1998 commented 6 months ago

aim_cli version: 3.11.279.0 driver version: 1.2.14.73

Command line: .\aim_cli.exe --mount --readonly --provider=DiscUtils --filename={path}

aim_cli is used to mount multiple disks, including (".vmdk", "raw(dd)", "E01").

There occurs a problem where if you try to mount multiple disks sequentially without unmounting the previous disks:

  1. aim_cli.exe gives the disk a physical location ("\?\PhysicalDiskN")
  2. The partition(s) on the disk is not visible for the Windows OS
  3. Windows does detect the partition on the disk and cannot assign it with a drive letter.

Is this a known issue?

LTRData commented 6 months ago

Normally, this should not be a problem. But there are a few scenarios where it could happen. One such case is if your images are not images of complete disks with partitions but rather images of individual partitions. Windows does not handle more than one such mounted disk very well and strange things tend to happen.

Another case is if you have policies set to not automatically online disks and mount file systems, but this is probably not the case here.

Any chance you have images that you could share that show this behavior? If so, we could take a look and see what exactly is going on and if there is something we might need to fix or if there are other workarounds available.

Gregus1998 commented 6 months ago

We have done some more tests to confirm the issue.

We do have the following setup:

We are able to mount each file individually. We are unable to mount both files at the same time if we only use "aim_cli.exe" If we use "aresenal_image_mounter.exe" the images will be mounted correctly, and each partition gets assigned a drive letter.

We can share the images - Is it possible to get an upload location?

Following is the output from the tests.

We did the following steps:

  1. Mount TMP-yggdrasil-evidence-machine.vmdk with aim_cli.exe
  2. Check partitions with diskpart
  3. Mount yggdrasil-evidence-machine.vmdk with aim_cli.exe
  4. Check partitions with diskpart
PS E:\**\Arsenal-Image-Mounter-v3.11.279\Arsenal-Image-Mounter-v3.11.279> .\aim_cli --mount --filename=E:\**\TMP-yggdrasil-evidence-machine.vmdk --provider=DiscUtils --readonly
Opening image file 'E:\**\TMP-yggdrasil-evidence-machine.vmdk' with format provider 'DiscUtils'...
Image virtual size is 125.0 GB
Mounting as virtual disk...
Device number 000000
Device is \\?\PhysicalDrive4

Contains volume \\?\Volume{6d957e9d-d30e-40e1-ba3c-0295879e8413}\
Contains volume \\?\Volume{b4712457-fb7c-47c8-9ee1-4b4de283d226}\
  Mounted at I:\
Contains volume \\?\Volume{079421d5-3c70-448f-958e-3d80b61edd14}\
Virtual disk created. Press Ctrl+C to remove virtual disk and exit.

PS C:\Windows\system32> diskpart

Microsoft DiskPart version 10.0.20348.1

Copyright (C) Microsoft Corporation.
On computer: **

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1024 GB  1024 KB        *
  Disk 1    Online            8 TB  1024 KB        *
  Disk 2    Online         1863 GB      0 B        *
  Disk 3    Online         3726 GB      0 B        *
  Disk 4    Online          125 GB      0 B        *

DISKPART> select disk 4

Disk 4 is now the selected disk.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery           300 MB  1024 KB
  Partition 2    System             100 MB   301 MB
  Partition 3    Reserved           128 MB   401 MB
  Partition 4    Primary            124 GB   529 MB

DISKPART>

--------------------------------------------------------------------------

PS E:\**\tools\Arsenal-Image-Mounter-v3.11.279\Arsenal-Image-Mounter-v3.11.279> .\aim_cli --mount --filename=E:\**\yggdrasil-evidence-machine.vmdk
Opening image file 'E:\**\yggdrasil-evidence-machine.vmdk' with format provider 'DiscUtils'...
Image virtual size is 125.0 GB
Mounting as virtual disk...
Device number 000100
Device is \\?\PhysicalDrive5

Virtual disk created. Press Ctrl+C to remove virtual disk and exit.

PS C:\Windows\system32> diskpart

Microsoft DiskPart version 10.0.20348.1

Copyright (C) Microsoft Corporation.
On computer: **

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1024 GB  1024 KB        *
  Disk 1    Online            8 TB  1024 KB        *
  Disk 2    Online         1863 GB      0 B        *
  Disk 3    Online         3726 GB      0 B        *
  Disk 4    Online          125 GB      0 B        *
  Disk 5    Online          125 GB   125 GB

DISKPART> select disk 5

Disk 5 is now the selected disk.

DISKPART> list partition

There are no partitions on this disk to show.
LTRData commented 6 months ago

Oh, now I understand better what is happening here. Those images probably have the same disk id and Windows cannot have two disks with the same id online at the same time. (Disk id refers to disk signature for MBR and disk GUID for GPT.) If you manually online the second one using diskpart or Disk Management, Windows will automatically assign a new id. A side effect of that is that it invalidates records in boot BCD, so the disk will no longer boot without further modifications. It also means that for MBR disks, links such as mount points containing volume IDs derived from disk id become invalid and no longer work. Therefore, Windows does not do this automatically.

The AIM GUI application however, does this automatically anyway because it handles a lot of things like this automatically, for instance it also automatically modifies BCD if you select to launch a VM from the image afterwards and similar. The AIM command line application is on the other hand designed to do less modifying tasks automatically and instead behave like when physical disks are attached to the system. You can manually select to online the disk afterwards using for example diskpart which will modify the disk id and bring the second disk online with a newly generated id inserted into MBR or GPT.

Gregus1998 commented 6 months ago

Thank you for the reply.

I have been doing some tests and it looks like this is the problem. Tried to mount different images and it works.