[转载]用VMWare检查受怀疑系统
信息来源:quzhengVMWare可以启动Raw Disk Image的特性为检查受怀疑系统提供了方便。程序如下:
第一步: 生成MBR和受检查的Partition的镜像
[root@forensic0 VMware-test]# dd if=/dev/sda of=mbr.img bs=512 count=63
63+0 records in
63+0 records out
[root@forensic0 VMware-test]# dd if=/dev/sda1 of=partition.img bs=512
2491712+0 records in
2491712+0 records out
第二步: 修改vmdk文件
下面是修改后的VMware-test.vmdk
# Disk DescriptorFile
version=1
CID=dc92f58c
parentCID=ffffffff
createType="monolithicFlat"
# Extent description
RW 63 FLAT "mbr.img" 0
RW 2491712 FLAT "partition.img" 0
# The Disk Data Base
#DDB
ddb.toolsVersion = "0"
ddb.adapterType = "ide"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "1216"
ddb.virtualHWVersion = "3"
scsi0.present = "TRUE"
memsize = "16"
第三步: 修改vmx文件
下面是修改后的VMware-test.vmx
ide0:0.present = "TRUE"
ide0:0.fileName = "VMware-test.vmdk"
ide1:0.present = "TRUE"
ide1:0.fileName = "/dev/cdrom"
ide1:0.deviceType = "cdrom-raw"
floppy0.fileName = "/dev/fd0"
sound.present = "TRUE"
displayName = "VMware-test"
guestOS = "win31"
priority.grabbed = "normal"
priority.ungrabbed = "normal"
uuid.location = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
uuid.bios = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
tools.remindInstall = "TRUE"
ide0:0.mode = "independent-nonpersistent"
第四步: 启动VMWARE
页:
[1]