Questions about DMA attack

[FlashPlayer13]

Hi! Firstly - thank you very much for such project. It looks like a magic that we can read RAM without any software on target PC.

I want to try your solution in my project (helper for online game) and have few questions before i will buy needed harware (because it is not as easy to get it in my country).

My setup is next: Target PC with Windows 10, where i am playing a game. I have full access to target PC settings, so i can disable any unneeded options there that interfere DMA attack. Host PC (where i want to get data from target PC) is also under Windows 10. I am .Net developer, so i am hoping that PCIleech C# api will fulfill all my tasks.

When i am playing i need periodically (as often as possible) extract a little portion of a game process memory. Currently i have a simple C++ code that uses OpenProcessHandle + ReadProcessMemory functions from Windows api to get needed portion of game data. Problem is that this functions are easily detectable (with hooks) and i don't want a game to detect that i am reading its memory. I know about possibility of writing own kernel driver to hide my api calls (and this is not easy task at all), but when i found your project it becomes clear for me that i need to extract that data through DMA attack. So i need only read process memory, without writing and as often as possible.

So far all clear for me, but here are things i want to clarify:

1. Am i right that with FPGA solution i have access to all RAM on target PC? That means if i have 16gb RAM there and needed info may be anywhere in this 16gb - there are no problems for PCIleech to extract it?
2. Is there any fast way to start extracting exact needed process memory? Or i need to extract all RAM i have on target PC and then analyse where is needed process memory there?
3. Lets assume i am using fastest FPGA solution that provides 150MB/s (ScreamerM2 for example). That literally means, that i need around 110 seconds to extract full RAM from my target PC with 16gb? And if i want to get needed data in cycle as often as possible - my cap is 1 time per 110 seconds?
4. Now very important question about detection. I need to say, that my game may have strong anticheat, so i need to make my data extraction process as hidden as possible. As we doing it harware way - i need to hide harware or make it looking friendly. So first sub question is - is it possible to completely hide from kernel/system in Windows10 connected ScreamerM2? And if not (i am sure that answer is not, but maybe are some possibilities) - what options we have to make hardware looking friendly? We can change device Id and manufacturer to look like any M2 device (if we are talking about ScreamerM2)? Can we make it looking like USB flash drive? Sorry for dumb questions, but i don't know hardware part well.

[ufrisk]

Hi,

Thanks for your questions. I'm not doing cheats but I'll answer in general terms.

1. Usually no problems unless the PC itself deployed some protections (Anti-DMA features configured in Windows and UEFI/BIOS).

2. Yes. I have the MemProcFS memory analysis toolkit to help with this. It provides a convenient easy-to-use virtual file system or an API if you prefer that. APIs exists for C/C++/C#/Python.

3. Something like this if you with to dump the entire physical memory yes. If you're only look at a small part of it - for instance if you're targeting some pointers in a process very little memory needs to be read so it's usually fast.

4. It is detected by anti-cheats in its default configuration. There is some work to be done to avoid that. It's way more than changing the device id though. From what I heard it usually goes around copying some pre-existing device as much as possible.

It's not possible to make it look like an USB flash drive. PCILeech needs to be connected over PCI Express or any of its variations/form factors, i.e. PCIe, M2, Thunderbolt3, etc. USB itself is not capable of DMA.

---

Unfortunately the global chip shortage has hit devices for this hard, so it may be a little bit difficult to find a device right now. I unfortunately don't know when/if anything will be back in stock.

[FlashPlayer13]

Thank you for your fast answers! Btw i am not working on cheat in its usual meaning (no advantage from getting this data), but however it is still data from the game that is not displayed directly, so i don't know how game will look at processmemoryread operations, so thats why need to hide my activity. Everything is clear now, except one thing in point 3 - if i know target process name (or pid) - there are options in MemProcFS to just read memory directle from needed process right? My game takes around 200mb in ram, so if i can read only process ram that will speed things up. And about point 4 - do you know some topics maybe where such config is discuissed?

[ufrisk]

3. You can actually try this on your own computer. If you download the MemProcFS latest release. And then also dokany for the virtual file system driver. And then WinPmem for driver-assisted memory acquisition (drop this .sys file in MemProcFS folder).

Just don't run it against a game; chances are you'll be banned; but have a look around some ordinary process; explorer.exe or lsass.exe.

Also when reading memory you don't usually have to read the whole process. If monitoring some values you might have to read process memory once and then just read a single 4kB memory page as fast as you can.

4. I'm not doing cheats. I prefer to keep some distance to it just to avoid getting even close to some gray legal areas. But google for it; find some people on twitter/github/unknowncheats etc to ask for more details around this.

But as I mentioned, hardware is currently a bit hard to come by due to the global chip situation.

Anyway, best wishes and good luck around your DMA project; please let me know if you have more questions :)

[FlashPlayer13]

Thank you! I will close this questions as they are answered)