search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

Target linux server crashes #116

Closed somethingisgo closed 4 years ago

somethingisgo commented 4 years ago

When the target is a Linux system server, the detected memory size is inaccurate. When reading memory, the number of failed memory pages increases and the server crashes.

ufrisk commented 4 years ago

Some targets with crappy firmware or devices will crash/freeze whenever the PCILeech tries to read from a memory address that is occupied by a memory mapped device.

Since the PCILeech doesn't really know where these memory regions are located it may crash the server. Usually these potentially problematic memory regions are located between 3-4GB, it's why the PCILeech tries to dump memory above 4GB first and then dump memory between 3-4GB.

Also; in what way is the memory size inaccurate? Usually address space is somewhat larger than the amount of RAM (due to the memory mapped devices). If your server have 16GB or RAM it's likely and normal that the memory detected will be between 16-18GB (depending on how much is reserved for devices and such). If the PCILeech detects lots or more memory or lots of less memory there may be a problem though.

If you know which memory region that crashes the server you may specify which memory to dump in the -min and -max options. I know there have been some requests for me to add a user-specified memory map that the user should be able to specify at command-line; but I haven't gotten around to implement that quite yet. For now the -min and -max options will have to do.

Hope this helps a bit.

somethingisgo commented 4 years ago

I specified the -min and -max options when reading LINUX server memory,I think the cause of the crash should be the first case you said,Because every time I read 3-4G content, the server crashes. Is there any solution to this problem?

ufrisk commented 4 years ago

it's related to the server hardware; if you're somehow able to insert a kernel module into the Linux system you might be able to dump via that one, avoiding physical memory regions belonging to the firmware/devices.

I'm working on adding a user-definable memory map as well; but that would only partly solve the problem since you'd then have to already be knowing the physical memory map (which region to blacklist) beforehand. If this is not an issue I guess that would solve your issue.

Long term the ideal solution would be to automatically find the physical memory map and retrieve it from the Linux kernel and/or other memory structures. I haven't looked into it though so it's not super likely to happen in the near future. I hope to add the user-definable memory map quite soon though.

Short term solution would be to do two dumps, first one with -min 0x100000000 to dump memory above 4GB, then a 2nd dump with -max 0xc0000000 (or up until your problematic memory region).

ufrisk commented 4 years ago

I have added a better memory auto-detection mechanism which may or may not solve your issue.

Also; if you know the memory map of the server (i.e. the problematic memory regions) pcileech now supports that you feed the memory map of valid memory regions in a file in the -memmap option.

I know it's not 100% perfect for linux targets; but it's what I can do about it right now without way more extensive changes.

I hope this should be sufficient and that your issue will be resolved by this though. If you still have issues with this please re-open this issue. Good Luck :)