Closed d0ntrash closed 3 years ago
it's nice to see it's working for you after a fresh boot; then we know DMA is actually working.
Thunderbolt3 is hyper-sensitive against reads outside allowed memory regions. If such a read takes place then it will stop working.
You would need to use the -memmap
option to specify a memory map so that PCILeech will keep only inside valid memory regions.
If you're lucky -memmap auto
will work. If unlucky you would need to specify it manually from within a file - i.e. -memmap c:\temp\your_memory_map.txt
.
Easiest way to retrieve it is probably use DumpIt.exe to create a memory dump of your target system. Then open the dump in my MemProcFS tool - https://github.com/ufrisk/MemProcFS where you'll find the dump file at: M:\sys\memory\physmemmap.txt
(also, WIN10_X64_3 is more stable than WIN10_X64_2, but first you would need to get it working with the Thunderbolt)
Please let me know how it goes. Try the -memmap auto
first.
Also, if you find PCILeech / MemProcFS useful please consider sponsoring the project here on Github. I see people purchasing hardware for hundreds of dollars (of which I receive absolutely zero dollars for - since I'm not related to hardware sales) just to be able to run my free open source software. Sponsorships go for as little as $2 and Github is matching it - a $2 sponsorship for you is a $4 sponsorship for me. Thank You 💖
I already tried -memmap auto
which did not work if I remember correctly.
I will try the way you described on Friday, I will let you know if it works.
Is the memorymap specific to the OS version or to the hardware?
It's related to the hardware, not the OS. if you re-flash bios it may change otherwise it should be fine I think.
Please let me know how it goes.
Hi Ulf,
I just verified, -memmap auto
does not work in this case.
After I created a memorymap using RamMap I was able to read most of the pages as you can see here:
C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe dump -device fpga -memmap newmap.txt
Memory Dump: Initializing ... Done.
Current Action: Dumping Memory
Access Mode: Normal
Progress: 10984 / 10984 (100%)
Speed: 159 MB/s
Address: 0x0000000100000000
Pages read: 2064456 / 2811904 (73%)
Pages failed: 747448 (26%)
Memory Dump: Successful.
I am also able to get a system shell using the WIN10_X64_3
module:
C:\Users\user\Downloads\PCILeech_files_and_binaries_v4.8-20210202>pcileech.exe wx64_pscmd -kmd 0x498a1000 -device FPGA -memmap newmap.txt
EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.
PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET!
================================================================
Automatically spawn a CMD.EXE on the target system. This utility
only work if the target system is locked and the login screen is
visible. If it takes time waiting - then please touch any key on
the target system. If the utility fails multiple times, please
try wx64_pscreate instead.
===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======
NTSTATUS : 0x00000000
ADDITIONAL INFO : 0x0000
================================================================
Microsoft Windows [Version 10.0.19042.746]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Using the WIN10_X64_2
module I get a blue screen saying ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
. Using WIN10_X64
freezes the victim OS.
Seeing this work is really nice, but it kind of breaks my attacker model since I need admin privileges to get the memorymap (correct me if i am wrong).
So far I do not quite understand how the -memmap auto
function works and why it works only in some cases. I should probably take a look at the code for this :)
The memory map will be the same across same model of devices with the same amount of memory.
The -memmap auto
sometimes fail because I currently initialize the whole MemProcFS system in the background (via API calls) and read the memory map from the Windows registry to parse it out. That is a lot of reads that can go wrong. I'll switch the registry reading (which is complex) to reading it from the kernel. This won't completely solve the issue; but it will make it somewhat more likely that it will succeed.
This is unfortunately the way how things are; but the memmap should at least be very similar/same across similar devices; so it won't really break the attacker model for rich attackers... Also, if it's auto-booting you can try to dump as much memory as you can using PCILeech with an own memory map; then try to parse the proper one out with MemProcFs... Or just boot on USB to another OS and parse the memory map from there :)
Anyway; it's super nice to see it's working for you. I'll close the issue now since it seems like it's resolved. Please let me know if there are any outstanding issues around this; otherwise I wish you the best luck with your DMA attacks.
Also, if you should find PCILeech / MemProcFS useful please consider sponsoring the project here on Github. I see people purchasing hardware for hundreds of dollars (of which I receive absolutely zero dollars of) just to be able to run my free open source software. Sponsorships go for as little as $2 and Github is matching it - a $2 sponsorship for you is a $4 sponsorship for me. Thank You 💖
Hi,
I just recieved my ScreamerM2. Now I got some problems using it. I want to attack a Windows 10 19041.746 via Thunderbolt3. Right after a reboot the display command seams to work without any problem:
As can be seen in the output I am using PCILeech 4.8. The ScreamerM2 came preflashed with v4.7. could this missmatch cause problems?
As soon as I try anything else (kmdload, probe, ...) something breaks and I also can't use display anymore.
When using kmdload I get following output:
Can anyone help me with this problem?