search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

Unable to attack WIN10 with FPGA device #110

Closed havu0 closed 4 years ago

havu0 commented 4 years ago

Hi, i'm trying attacking WIN10 (1809) with FPGA device.

but i cannot get any success result.

D:\PCILeech                                    
λ pcileech.exe -device fpga probe              

 Memory Map:                                   
 START              END               #PAGES   
 0000000000000000 - 000000000009ffff  000000a0 
 00000000000c0000 - 00000000c7bfffff  000c7b40 

 Current Action: Probing Memory                
 Access Mode:    Normal                        
 Progress:       4096 / 4096 (100%)            
 Speed:          819 MB/s                      
 Address:        0x0000000100000000            
 Pages read:     818144 / 1048576 (78%)        
 Pages failed:   230432 (21%)                  
Memory Probe: Completed.

-> above one is works well, right?

D:\PCILeech
λ pcileech kmdload -kmd WIN10_X64 -device fpga -vv -v

DEVICE: FPGA: AC701 / FT601 PCIe gen1 x1 [300,0,500] [v4.1,0300]

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 34 BYTES -----
0000    89 ab 00 00 22 00 00 00  04 01 02 00 00 00 00 00   ...."...........
0010    6b 34 64 4c 44 00 00 00  6d 34 64 4c 44 00 00 00   k4dLD...m4dLD...
0020    00 00                                              ..

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
0000    cd ef 04 00 1e 00 00 00  a0 86 01 00 00 00 00 00   ................
0010    ee 10 07 00 ee 10 66 06  02 00 00 00 00 00         ......f.......

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
0000    01 23 00 00 30 00 00 00  03 00 16 08 24 00 00 00   .#..0.......$...
0010    00 00 10 00 00 00 00 00  10 29 00 00 04 00 00 00   .........)......
0020    11 10 00 00 1e 7f 00 00  00 00 00 00 00 00 00 00   ..... ..........

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 84 BYTES -----
0000    45 67 00 f0 54 00 00 00  35 0a 00 01 01 00 00 00   Eg..T...5.......
0010    00 00 00 00 00 f0 48 00  00 00 00 0e 00 00 00 00   ......H.........
0020    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0030    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050    00 00 00 00                                        ....

Successfully loaded LeechCore v1.5.1 Device 3
KMD: Failed. Error reading or interpreting memory #1.
PCILEECH: Failed to load kernel module.

but when i trying load kernel module, try some other methods.. always return failed.

D:\PCILeech
λ pcileech.exe -device FPGA testmemreadwrite -min 0x1000 -vv -v

DEVICE: FPGA: AC701 / FT601 PCIe gen1 x1 [300,0,500] [v4.1,0300]

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 34 BYTES -----
0000    89 ab 00 00 22 00 00 00  04 01 02 00 00 00 00 00   ...."...........
0010    37 47 d8 2b 46 00 00 00  39 47 d8 2b 46 00 00 00   7G.+F...9G.+F...
0020    00 00                                              ..

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
0000    cd ef 04 00 1e 00 00 00  a0 86 01 00 00 00 00 00   ................
0010    ee 10 07 00 ee 10 66 06  02 00 00 00 00 00         ......f.......

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
0000    01 23 00 00 30 00 00 00  03 00 16 08 24 00 00 00   .#..0.......$...
0010    00 00 10 00 00 00 00 00  10 29 00 00 04 00 00 00   .........)......
0020    11 10 00 00 1e 7f 00 00  00 00 00 00 00 00 00 00   ..... ..........

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 84 BYTES -----
0000    45 67 00 f0 54 00 00 00  35 0a 00 01 01 00 00 00   Eg..T...5.......
0010    00 00 00 00 00 f0 48 00  00 00 00 0e 00 00 00 00   ......H.........
0020    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0030    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050    00 00 00 00                                        ....

Successfully loaded LeechCore v1.5.1 Device 3
Memory Test Read: starting, reading 1000 times from address: 0x00001000
Memory Test Read: Failed. DMA failed / data changed by target computer / memory corruption. Read: 0. Run: 0. Offset: 0x000

i connected FTDI on attacker PC, connected FPGA device to PCie slot on victim PC.

target pc is win10 1809, i7-7700

havu0 commented 4 years ago

Oops, when i disable VT-x, it works well. btw, can i use PCILeech on VT-x enabled environments?

==> failed again after reboot T_T

havu0 commented 4 years ago

solved. Its not working when reboot PC, but works well when complete shutdown and power up.

ufrisk commented 4 years ago

Thanks for the update :) Good Luck with your DMA attacking! Please let me know if you run into any more troubles.

I'm closing this issue since it seems to be resolved.