pcileech 3.0 releases: Direct Memory Access (DMA) Attack Software
PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed for the target system.
PCILeech supports multiple hardware. Currently, only the USB3380 hardware is publically available. The USB3380 is only able to read 4GB of memory natively but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel.
PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows/Linux/Android. Supported target systems are currently the x64 versions of UEFI, Linux, FreeBSD, macOS, and Windows.
- Retrieve memory from the target system at >150MB/s.
- Write data to the target system memory.
- 4GB memory can be accessed in native DMA mode.
- ALL memory can be accessed if kernel module (KMD) is loaded.
- Mount live RAM as file [Linux, Windows, macOS].
- Mount file system as drive [Linux, Windows, macOS].
- Execute kernel code on the target system.
- Spawn system shell [Windows].
- Spawn any executable [Windows].
- Load unsigned drivers [Windows].
- Pull files [Linux, FreeBSD, Windows, macOS].
- Push files [Linux, Windows, macOS].
- Patch / Unlock (remove password requirement) [Windows, macOS].
- Easy to create own kernel shellcode and/or custom signatures.
- Even more features not listed here …
- Initial release of the Memory Process File System.
- Various other changes and bug fixes.
Clone the PCILeech Github repository.
git clone https://github.com/ufrisk/pcileech.git
The binaries are found in pcileech_files and should work on 64-bit Windows and Linux. Please copy all files from pcileech_files since some files contain additional modules and signatures.
The Google Android USB driver also have to be installed. Download the Google Android USB driver from: http://developer.android.com/sdk/win-usb.html#download Unzip the driver. Open Device Manager. Right-click on the computer, choose add legacy hardware. Select install the hardware manually. Click Have Disk. Navigate to the Android Driver, select android_winusb.inf and install.
To mount live ram and target file system as drive in Windows the Dokany file system library must be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest
PCILeech on Linux must be run as root. PCILeech also requires libusb. Libusb is probably installed by default – if not install it by running:
apt-get install libusb-1.0-0.
Separate instructions for Android.
PCILeech use the PLX Technologies USB3380 chip. The actual chip can be purchased for around $15, but it’s more convenient to purchase a development board on which the chip is already mounted. Development boards can be purchased from BPlus Technology, or on eBay / Ali Express. Please note that adapters may be required too depending on your requirements. In addition to the USB3380 PCILeech also supports not yet released FPGA based hardware.
The hardware confirmed working is:
- USB3380-EVB mini-PCIe card.
- PP3380-AB PCIe card.
Please note that the ExpressCard EC3380-AB is not working!
Please note that the USB3380-AB EVK-RC kit is not working!
- PE3B – ExpressCard to mini-PCIe.
- PE3A – ExpressCard to PCIe.
- ADP – PCIe to mini-PCIe.
- P15S-P15F – M.2 Key A+E to mini-PCIe.
- Sonnet Echo ExpressCard Pro – Thunderbolt to ExpressCard.
- Apple Thunderbolt3 (USB-C) – Thunderbolt2 dongle.
Please note that other adapters may also work.
In order to turn the USB3380 development board into a PCILeech device it must be flashed. Flashing may be done in Windows 10 (as administrator) or in Linux (as root). The board must be connected to the system via PCIe when performing the initial flash.
To flash in Windows 10 unzip all contents of the
flash.zip archive found in
PCILeechFlash_Installer.exeand follow the instructions.
Flashing in 32-bit Windows or in Windows 7 is not supported.
If flashing fails or if Linux is preferred please see pcileech_flash/linux for instructions.
Copyright (C) 2016 ufrisk