ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
5.04k stars 735 forks source link

PCILeech Summary:

PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.

PCILeech also works without hardware together with a wide range of software memory acqusition methods supported by the LeechCore library - including capture of remote live memory using DumpIt or WinPmem. PCILeech also supports local capture of memory and a number of memory dump file formats.

PCILeech supports multiple memory acquisition devices. Both hardware and software based. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware, and software based methods, are able to read all memory.

PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels - allowing for easy access to live ram and the file system via a "mounted drive". It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows and Linux. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD and Windows. This requires write access to memory (USB3380 hardware, FPGA hardware, LiveCloudKd or CVE-2018-1038 "Total Meltdown").

To get going clone the sources in the repository or download the latest binaries, modules and configuration files.

The PushPin GUI frontend for PCILeech makes common RedTeam tasks super easy. Note that PushPin is not part of the official PCILeech distribution.

Capabilities:

*) macOS High Sierra and above are not supported.

Memory Acquisition Methods:

PCILeech supports both hardware based and software based memory acqusition methods. All memory acqusition is handled by the LeechCore library.

Hardware based memory aqusition methods:

Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however sports a slight performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows.

Device Type Interface Speed 64-bit memory access PCIe TLP access Project
Sponsor
Screamer PCIe Squirrel FPGA USB-C 190MB/s Yes Yes šŸ’–
ZDMA FPGA Thunderbolt3 1000MB/s Yes Yes šŸ’–
LeetDMA FPGA USB-C 190MB/s Yes Yes šŸ’–
AC701/FT601 FPGA USB3 190MB/s Yes Yes
USB3380-EVB USB3380 USB3 150MB/s No No
PP3380 USB3380 USB3 150MB/s No No
DMA patched HP iLO BMC TCP 1MB/s Yes No

Software based memory aqusition methods:

Please find a summary of the supported software based memory acquisition methods listed below. Please note that the LeechService only provides a network connection to a remote LeechCore library. It's possible to use both hardware and software based memory acquisition once connected.

Device Type Volatile Write Linux Support Plugin
RAW physical memory dump File No No Yes No
Full Microsoft Crash Dump File No No Yes No
Full ELF Core Dump File No No Yes No
VMware Live Memory Yes Yes No No
VMware memory save file File No No Yes No
TotalMeltdown CVE-2018-1038 Yes Yes No No
DumpIt /LIVEKD Live Memory Yes No No No
WinPMEM Live Memory Yes No No No
LiveKd Live Memory Yes No No No
LiveCloudKd Live Memory Yes Yes No Yes
Hyper-V Saved State File No No No Yes
LeechAgent* Remote No No

Installing PCILeech:

Please ensure you do have the most recent version of PCILeech by visiting the PCILeech github repository at: https://github.com/ufrisk/pcileech

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

Windows:

Please see the PCILeech on Windows guide for information about running PCILeech on Windows.

The Google Android USB driver have to be installed if USB3380 hardware is used. Download the Google Android USB driver from: http://developer.android.com/sdk/win-usb.html#download Unzip the driver.
FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card or PCIeScreamer. Download the 64-bit FTD3XX.dll from FTDI and place it alongside pcileech.exe.
To mount live ram and target file system as drive in Windows the Dokany2 file system library must be installed. Please download and install the latest stable version of Dokany2 at: https://github.com/dokan-dev/dokany/releases/latest

Linux:

Please see the PCILeech on Linux guide for information about running PCILeech on Linux.

Examples:

Please see the project wiki pages for more examples. The wiki is in a buildup phase and information may still be missing.

Mount target system live RAM and file system, requires that a KMD is loaded. In this example 0x11abc000 is used.

Show help for a specific kernel implant, in this case lx64_filepull kernel implant.

Show help for the dump command.

Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.

Force dump memory below 4GB including accessible memory mapped devices using more stable USB2 approach on USB3380.

Receive PCIe TLPs (Transaction Layer Packets) and print them on screen (correctly configured FPGA dev board required).

Probe/Enumerate the memory of the target system for readable memory pages and maximum memory. (FPGA hardware only).

Dump all memory between addresses min and max, don't stop on failed pages. Native access to 64-bit memory is only supported on FPGA hardware.

Dump all memory, try locate the memory map from the target system registry to avoid dumping potentially invalid memory which may freeze the target.

Force the usage of a specific device (instead of default auto detecting it). The pmem device is not auto detected.

Dump remote memory from a remote LeechAgent using connection encrypted and mutually authenticated by kerberos.

Execute the Python analysis script find-rwx.py on a remote computer using the LeechAgent embedded Python environment.

Dump memory using the the reported "TotalMeltdown" Windows 7/2008R2 x64 PML4 page table permission vulnerability.

Insert a kernel module into a running Linux system remotely via a DMA patched HP iLO.

Patch virtual process memory of pid 432 (lsass.exe in this example).

Limitations/Known Issues:

PCILeech and MemProcFS community:

Find all this a bit overwhelming? Or just want to ask a quick question? Join the PCILeech and MemProcFS DMA community server at Discord!

Building:

The binaries are found in the releases section of this repository. If one wish to build an own version it is possible to do so. Please see the PCILeech on Windows or PCILeech on Linux for more information about building PCILeech. PCILeech is also dependant on LeechCore and optionally (for some extra functionality) on The Memory Process File System which must both be built separately.

Contributing:

PCILeech, MemProcFS and LeechCore are open source but not open contribution. PCILeech, MemProcFS and LeechCore offers a highly flexible plugin architecture that will allow for contributions in the form of plugins. If you wish to make a contribution, other than a plugin, to the core projects please contact me before starting to develop.

Links:

Support PCILeech/MemProcFS development:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

To all my sponsors, Thank You šŸ’–

All sponsorships are welcome, no matter how large or small.

Changelog:

Previous releases (click to expand): v1.0-v3.6 * Initial release and various updates. please see individual relases for more information. v4.0 * Major cleanup and internal refactorings. * FPGA max memory auto-detect and more stable dumping strategy. * New stable Windows 10 kernel injects with FPGA hardware on non-virtualization based security systems. * User mode injects (experimental). * Removal of built-in device support - the [LeechCore](https://github.com/ufrisk/LeechCore) `leechcore.dll`/`leechcore.so` library is now used instead. New devices include: * Memory dump files (raw linear dump files and microsoft crash dump files). * Hyper-V save files. * Live memory via DumpIt / WinPmem. * remote devices via -remote setting. * Removal of API and built-in _Memory Process File System_ - please use the more capable APIs in the [LeechCore](https://github.com/ufrisk/LeechCore) and [Memory Process File System](https://github.com/ufrisk/MemProcFS) instead. * Multiple other changes and syntax updates. v4.1 * LeechAgent support - remote memory acquisition and analysis. [v4.2](https://github.com/ufrisk/pcileech/releases/tag/v4.2) * Signature updates: * Linux kernel module - LINUX_X64_48 (latest versions) * Win10 1903 kernel module - WIN10_X64_2 (requires windows version of PCILeech) [v4.3](https://github.com/ufrisk/pcileech/releases/tag/v4.3) * Bug fixes. * Support for new device (NeTV2 / RawUDP) via LeechCore library. [v4.4](https://github.com/ufrisk/pcileech/releases/tag/v4.4) * Bug fixes and stability improvements. * Support for MemProcFS v3 library. * Code signing of binaries. * "tlploop" command. [v4.5](https://github.com/ufrisk/pcileech/releases/tag/v4.5) * Bug fixes. * Support for v2 of the LeechCore memory acquisition library. * MemProcFS integration when running on Windows. * Support for user-defined physical memory map (-memmap option). [v4.6](https://github.com/ufrisk/pcileech/releases/tag/v4.6) * Support for [LiveCloudKd](https://github.com/ufrisk/LeechCore/wiki/Device_LiveCloudKd). [v4.7](https://github.com/ufrisk/pcileech/releases/tag/v4.7) * Bug fixes. * WIN10_X64_3 new stable kernel signature for Windows 10 - including Win10 2004 release. * Unlock signature updates - Win10/Linux (NB! most recent kernels on Linux not yet supported). [v4.8](https://github.com/ufrisk/pcileech/releases/tag/v4.8) * Bug fixes. * Better support for recent x64 Linux kernels. [v4.9](https://github.com/ufrisk/pcileech/releases/tag/v4.9) * Bug fixes. * Signature updates. * Better support for recent x64 Linux kernels (Ubuntu 21.04). * Unmount of monted driver when CTRL+C pressed.

v4.10

v4.11

v4.12

v4.13

v4.14

v4.15

v4.16

v4.17

v4.18

Latest: