search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

Perform different from bios and windows. #201

Closed favoritewky closed 4 months ago

favoritewky commented 2 years ago

Hello Ulf,

Firstly, I’d like to thank you for your hard work and dedication as I understand these are your hobby projects. I’m quite new to this so please forgive me if I make a beginner mistake.

Myboard is Screamer PCIe Squirrel The hack computer is WIN10 21H2 The target computer is WIN10 21H2 with the vmx&vt/d disable Intel i5-10400.

When I run probe when the target is in bios setup. It can read the memory without the first 32 page.

C:\Users\D\Desktop\pcileech>pcileech.exe -device fpga probe

 Memory Map:
 START              END               #PAGES
 0000000000000000 - 000000000009ffff  000000a0
 00000000000c0000 - 000000009befffff  0009be40
 0000000100000000 - 00000005be2b7fff  004be2b8
 00000005f2000000 - 00000006a0efffff  000aef00
 00000006c0000000 - 000000073ee0ffff  0007ee10

 Current Action: Probing Memory
 Access Mode:    Normal
 Progress:       34248 / 34248 (100%)
 Speed:          206 MB/s
 Address:        0x000000085C800000
 Pages read:     6848168 / 8767488 (78%)
 Pages failed:   1919320 (21%)
Memory Probe: Completed.

But when the Windows is starting, it become failed to the end.

C:\Users\D\Desktop\pcileech>pcileech.exe -device fpga probe

 Memory Map:
 START              END               #PAGES

 Current Action: Probing Memory
 Access Mode:    Normal
 Progress:       336 / 4096 (8%)
 Speed:          67 MB/s
 Address:        0x0000000015000000
 Pages read:     0 / 1048576 (0%)
 Pages failed:   86016 (8%)
 Memory Map:
 START              END               #PAGES

 Current Action: Probing Memory
 Access Mode:    Normal
 Progress:       272 / 4096 (6%)
 Speed:          68 MB/s
 Address:        0x0000000011000000
 Pages read:     0 / 1048576 (0%)
 Pages failed:   69632 (6%)

C:\Users\D\Desktop\pcileech>pcileech.exe -device fpga probe  -v -vv

DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.10,0300] [ASYNC,NORM]

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-ONLY     SIZE: 40 BYTES -----
0000    89 ab 00 00 28 00 00 00  04 0a 04 00 00 00 00 00   ....(...........
0010    df ce c0 4c 16 00 00 00  e1 ce c0 4c 16 00 00 00   ...L.......L....
0020    00 00 02 00 ff ff ff ff                            ........

----- FPGA DEVICE CONFIG REGISTERS: CORE-READ-WRITE    SIZE: 30 BYTES -----
0000    cd ef 04 00 1e 00 00 00  a0 86 01 00 00 00 00 00   ................
0010    ee 10 07 00 ee 10 66 06  02 34 00 00 00 00         ......f..4....

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-ONLY     SIZE: 48 BYTES -----
0000    01 23 00 00 30 00 00 00  03 00 1a 08 7c 00 00 00   .#..0.......|...
0010    0b 00 00 00 00 04 00 31  30 29 00 00 00 00 40 00   .......10)....@.
0020    12 10 00 00 1e 7f 00 00  00 00 00 00 00 00 00 00   ..... ..........

----- FPGA DEVICE CONFIG REGISTERS: PCIE-READ-WRITE    SIZE: 88 BYTES -----
0000    45 67 00 f0 58 00 00 00  15 08 00 02 01 00 5a a5   Eg..X.........Z.
0010    00 00 00 00 00 f0 48 00  00 00 00 0e 00 00 00 00   ......H.........
0020    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0030    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050    00 00 00 00 24 f4 00 00                            ....$...

----- PCIe CORE Dynamic Reconfiguration Port (DRP)  SIZE: 0x100 BYTES -----
0000    00 00 00 01 00 02 00 00  00 00 00 00 00 00 f0 00   ................
0010    ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0020    00 00 00 00 00 00 00 00  00 00 00 40 00 00 00 00   ...........@....
0030    00 00 09 02 30 00 22 7f  02 00 01 00 00 03 11 0c   ....0." ........
0040    02 a1 00 43 01 00 1f fd  7f ff 09 ff 01 20 01 48   ...C.... .... .H
0050    00 05 01 60 11 9c 00 00  00 00 00 00 00 00 00 00   ...`............
0060    00 00 10 60 00 02 40 21  00 40 3d 48 00 23 00 00   ...`..@!.@=H.#..
0070    00 00 00 00 00 00 00 00  00 00 00 00 00 15 00 01   ................
0080    00 01 00 00 00 01 00 00  00 01 00 00 00 01 00 00   ................
0090    00 01 00 00 00 01 00 00  00 00 00 00 00 00 00 00   ................
00a0    00 00 00 00 00 00 00 00  00 02 00 00 12 34 10 18   .............4..
00b0    00 0b 00 01 00 11 00 00  00 00 00 00 00 01 00 00   ................
00c0    00 28 00 41 ff ff ff ff  00 e0 00 00 80 08 00 22   .(.A..........."
00d0    07 ff 03 52 02 48 00 08  00 40 0e 84 fa ac 00 00   ...R.H...@......
00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

----- PCIe CONFIGURATION SPACE (no user set values) SIZE: 0x200 BYTES -----
0000    86 80 b8 15 00 04 10 20  00 00 00 02 10 00 00 00   ....... ........
0010    00 00 20 a0 00 00 00 00  00 00 00 00 00 00 00 00   .. .............
0020    00 00 00 00 00 00 00 00  00 00 00 00 43 10 72 86   ............C.r.
0030    00 00 00 00 40 00 00 00  00 00 00 00 ff 01 00 00   ....@...........
0040    01 48 03 78 0b 00 00 00  05 60 80 00 00 00 00 00   .H.x.....`......
0050    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0060    10 00 02 00 e2 8f 90 05  30 29 00 00 12 f4 03 00   ........0)......
0070    40 00 12 10 00 00 00 00  00 00 00 00 00 00 00 00   @...............
0080    00 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00   ................
0090    02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0100    03 00 c1 10 15 08 00 02  01 00 5a a5 00 00 00 00   ..........Z.....
0110    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0120    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0130    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0140    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0150    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0160    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0170    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0180    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0190    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01a0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01c0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01d0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01e0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
01f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

----- PCIe SHADOW CONFIGURATION SPACE (only user set values) SIZE: 0x1000 BYTES -----
0000    86 80 b8 15 06 04 10 00  00 00 00 02 00 00 00 00   ................
0010    00 00 20 df 00 00 00 00  00 00 00 00 00 00 00 00   .. .............
0020    00 00 00 00 00 00 00 00  00 00 00 00 43 10 72 86   ............C.r.
0030    00 00 00 00 c8 00 00 00  00 00 00 00 0b 01 00 00   ................
0040    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0060    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0070    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0080    28 00 00 00 08 00 00 00  00 00 00 00 00 00 00 00   (...............
0090    00 00 00 00 1f 00 00 00  00 00 00 00 40 02 18 40   ............@..@
00a0    00 00 00 00 01 00 00 00  03 10 03 10 00 00 00 00   ................
00b0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00c0    00 00 00 00 00 00 00 00  01 d0 23 c8 08 20 00 00   ..........#.. ..
00d0    05 e0 81 00 00 b0 e0 fe  00 00 00 00 22 40 00 00   ............"@..
00e0    13 00 06 03 00 00 00 00  00 00 00 00 00 00 00 00   ................
00f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0100    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0110    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

FPGA: TINY PCIe TLP algrithm auto-selected!
LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
LcMemMap_AddRange: 0000000000100000-00000000ffffffff -> 0000000000100000
LeechCore v2.11.1: Open Device: fpga
 Memory Map:
 START              END               #PAGES

 Current Action: Probing Memory
 Access Mode:    Normal
 Progress:       128 / 4096 (3%)
 Speed:          64 MB/s
 Address:        0x0000000008000000
 Pages read:     0 / 1048576 (0%)
 Pages failed:   32768 (3%)

I have try many times but I can't understand why it happend,and how can I solve it. Thanks!

ufrisk commented 2 years ago

My best guess is that your BIOS/UEFI doesn't protect against DMA attacks - which makes it vulnerable.

Recent Windows versions (Win11) have lots of anti-DMA features enabled by default. You can try to log on to the computer from the lock screen (it may then start to work) or disable the IOMMU/VT-d feature in UEFI.

There are also other alternatives that may work since you have a vulnerable UEFI, I'm thinking about corrupting the DMAR ACPI table - it won't affect windows boot (unless they changed something in recent version) but it will prevent Windows from enabling the anti-DMA features. I have an old blog entry about it http://blog.frizk.net/2016/11/disable-virtualization-based-security.html

ufrisk commented 4 months ago

I'm closing this issue due to old age.