pcileech 4.17 releases: Direct Memory Access (DMA) Attack Software

by do son · Published · Updated

pcileech

PCILeech Summary:

PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed for the target system.

PCILeech supports multiple hardware. Currently, only the USB3380 hardware is publicly available. The USB3380 is only able to read 4GB of memory natively but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel.

PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code, and spawn system shells. PCIleech runs on Windows/Linux/Android. Supported target systems are currently the x64 versions of UEFI, Linux, FreeBSD, macOS, and Windows.

Capabilities:

  • Retrieve memory from the target system at >150MB/s.
  • Write data to the target system memory.
  • 4GB memory can be accessed in native DMA mode.
  • ALL memory can be accessed if kernel module (KMD) is loaded.
  • Mount live RAM as file [Linux, Windows, macOS].
  • Mount file system as drive [Linux, Windows, macOS].
  • Execute kernel code on the target system.
  • Spawn system shell [Windows].
  • Spawn any executable [Windows].
  • Load unsigned drivers [Windows].
  • Pull files [Linux, FreeBSD, Windows, macOS].
  • Push files [Linux, Windows, macOS].
  • Patch / Unlock (remove password requirement) [Windows, macOS].
  • Easy to create own kernel shellcode and/or custom signatures.
  • Even more, features not listed here …

Changelog v4.17

  • I/O BAR support.
  • Linux improvements:
    • KMD signature update (LINUX_X64_48) to support latest Ubuntu kernels.
    • Update of kernel modules to support latest kernels.
    • New KMD signature – LINUX_X64_MAP – specify target system kernel System.map in -in option.
    • New kernel module: lx64_exec_root.

Installing PCILeech:

Clone the PCILeech Github repository.

git clone https://github.com/ufrisk/pcileech.git

The binaries are found in pcileech_files and should work on 64-bit Windows and Linux. Please copy all files from pcileech_files since some files contain additional modules and signatures.

Windows:

The Google Android USB driver also has to be installed. Download the Google Android USB driver from http://developer.android.com/sdk/win-usb.html#download Unzip the driver. Open Device Manager. Right-click on the computer, choose to add legacy hardware. Select install the hardware manually. Click Have Disk. Navigate to the Android Driver, select android_winusb.inf and install.

To mount live ram and target file system as drive in Windows the Dokany file system library must be installed. Please download and install the latest version of Dokany at https://github.com/dokan-dev/dokany/releases/latest

Linux and Android:

Please see the PCILeech-on-Linux guide for information about running PCILeech on Linux or PCILeech-on-Android for Android information.

Download & Tutorial

Copyright (C) 2016 ufrisk

Tags: PCILeech