PCILeech

栏目: IT技术 · 发布时间: 4年前

内容简介:PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.PCILeech also works without hardware together with a wide range of software memory acqusition me

PCILeech Summary:

PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.

PCILeech also works without hardware together with a wide range of software memory acqusition methods supported by the LeechCore library - including capture of remote live memory using DumpIt or WinPmem. PCILeech also supports local capture of memory and a number of memory dump file formats.

PCILeech supports multiple memory acquisition devices. Both hardware and software based. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware, and software based methods, are able to read all memory.

PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels - allowing for easy access to live ram and the file system via a "mounted drive". It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows and Linux. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD, macOS and Windows. This requires write access to memory (USB3380 hardware, FPGA hardware or CVE-2018-1038 "Total Meltdown").

To get going clone the sources in the repository or download the latest binaries, modules and configuration files .

For use cases and more detailed information check out this readme and the project wiki pages .

PCILeech PCILeech PCILeech PCILeech PCILeech PCILeech PCILeech

Capabilities:

  • Retrieve memory from the target system at >150MB/s.
  • Retrieve remote memory from remote LeechService.
  • Write data to the target system memory.
  • 4GB memory can be accessed in native DMA mode (USB3380 hardware).
  • ALL memory can be accessed in native DMA mode (FPGA hardware).
  • ALL memory can be accessed if kernel module (KMD) is loaded.
  • Raw PCIe TLP access (FPGA hardware).
  • Mount live RAM as file [Linux, Windows, macOS Sierra*].
  • Mount file system as drive [Linux, Windows, macOS Sierra*].
  • Execute kernel code on the target system.
  • Spawn system shell and other executables [Windows].
  • Pull and Push files [Linux, FreeBSD, Windows, macOS Sierra*].
  • Patch / Unlock (remove password requirement) [Windows, macOS Sierra*].
  • Easy to create own kernel shellcode and/or custom signatures.
  • Connect to a remote LeechAgent over the network to remotely:
    • Dump physical memory over the network.
    • Execute Python memory analysis scripts on the remote host.
  • Even more features not listed here ...

*) macOS High Sierra and above are not supported.

Memory Acquisition Methods:

PCILeech supports both hardware based and software based memory acqusition methods. All memory acqusition is handled by the LeechCore library.

Hardware based memory aqusition methods:

Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however sports a slight performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows.

Device Type Interface Speed 64-bit memory access PCIe TLP access
ScreamerM2 FPGA USB3 100MB/s Yes Yes
PCIeScreamer FPGA USB3 100MB/s Yes Yes
AC701/FT601 FPGA USB3 150MB/s Yes Yes
SP605/FT601 FPGA USB3 75MB/s Yes Yes
SP605/TCP FPGA TCP/IP 100kB/s Yes Yes
NeTV2/UDP FPGA UDP/IP 7MB/s Yes Yes
USB3380-EVB USB3380 USB3 150MB/s No No
PP3380 USB3380 USB3 150MB/s No No
DMA patched HP iLO BMC TCP/IP 1MB/s Yes No

Software based memory aqusition methods:

Please find a summary of the supported software based memory acquisition methods listed below. Please note that the LeechService only provides a network connection to a remote LeechCore library. It's possible to use both hardware and software based memory acquisition once connected.

Device Type Linux Support
RAW physical memory dump File Yes
Full Microsoft Crash Dump File Yes
Full ELF Core Dump File Yes
Hyper-V Saved State File No
TotalMeltdown CVE-2018-1038 No
DumpIt /LIVEKD Live Memory No
WinPMEM Live Memory No
LeechService* Remote No

Installing PCILeech:

Please ensure you do have the most recent version of PCILeech by visiting the PCILeech github repository at: https://github.com/ufrisk/pcileech

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

Windows:

Please see the PCILeech on Windows guide for information about running PCILeech on Windows.

The Google Android USB driver have to be installed if USB3380 hardware is used. Download the Google Android USB driver from: http://developer.android.com/sdk/win-usb.html#download Unzip the driver.

FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card or PCIeScreamer. Download the 64-bit FTD3XX.dll from FTDI and place it alongside pcileech.exe .

To mount live ram and target file system as drive in Windows the Dokany file system library must be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest

Linux:

Please see the PCILeech on Linux guide for information about running PCILeech on Linux.

Examples:

Please see the project wiki pages for more examples. The wiki is in a buildup phase and information may still be missing.

Mount target system live RAM and file system, requires that a KMD is loaded. In this example 0x11abc000 is used.

  • pcileech.exe mount -kmd 0x11abc000

Show help for a specific kernel implant, in this case lx64_filepull kernel implant.

  • pcileech.exe lx64_filepull -help

Show help for the dump command.

  • pcileech.exe dump -help

Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.

  • pcileech.exe dump -kmd 0x7fffe000

Force dump memory below 4GB including accessible memory mapped devices using more stable USB2 approach on USB3380.

  • pcileech.exe dump -force -device usb3380://usb2

Receive PCIe TLPs (Transaction Layer Packets) and print them on screen (correctly configured FPGA dev board required).

  • pcileech.exe tlp -vv -wait 1000

Probe/Enumerate the memory of the target system for readable memory pages and maximum memory. (FPGA hardware only).

  • pcileech.exe probe

Dump all memory between addresses min and max, don't stop on failed pages. Native access to 64-bit memory is only supported on FPGA hardware.

  • pcileech.exe dump -min 0x0 -max 0x21e5fffff -force

Force the usage of a specific device (instead of default auto detecting it). The pmem device is not auto detected.

  • pcileech.exe pagedisplay -min 0x1000 -device pmem

Dump remote memory from a remote LeechAgent using connection encrypted and mutually authenticated by kerberos.

  • pcileech.exe dump -device pmem -remote rpc://computer$@ad.contoso.com

Execute the Python analysis script find-rwx.py on a remote computer using the LeechAgent embedded Python environment.

  • pcileech.exe agent-execpy -in find-rwx.py -device pmem -remote rpc://computer$@ad.contoso.com

Dump memory using the the reported "TotalMeltdown" Windows 7/2008R2 x64 PML4 page table permission vulnerability .

  • pcileech.exe dump -out memdump_win7.raw -device totalmeltdown -v -force

Insert a kernel module into a running Linux system remotely via a DMA patched HP iLO .

  • pcileech.exe kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd LINUX_X64_48

Generating Signatures:

PCILeech comes with built in signatures for Windows, Linux, FreeBSD and macOS. There is also an optional, now obsoleted method of generating signatures by using the pcileech_gensig.exe program.

Limitations/Known Issues:

pcileech.exe testmemreadwrite -min 0x1000

Building:

The binaries are found in the releases section of this repository. If one wish to build an own version it is possible to do so. Please see the PCILeech on Windows or PCILeech on Linux for more information about building PCILeech. PCILeech is also dependant on LeechCore and optionally (for some extra functionality) on The Memory Process File System which must both be built separately.

Links:

Projects:

Other:

Changelog:

v1.0

  • Initial release.

v1.1-v3.6

  • Various updates. please see individual relases for more information.

v4.0

  • Major cleanup and internal refactorings.
  • FPGA max memory auto-detect and more stable dumping strategy.
  • New stable Windows 10 kernel injects with FPGA hardware on non-virtualization based security systems.
  • User mode injects (experimental).
  • Removal of built-in device support - the LeechCore leechcore.dll / leechcore.so library is now used instead. New devices include:
    • Memory dump files (raw linear dump files and microsoft crash dump files).
    • Hyper-V save files.
    • Live memory via DumpIt / WinPmem.
    • remote devices via -remote setting.
  • Removal of API and built-in Memory Process File System - please use the more capable APIs in the LeechCore and Memory Process File System instead.
  • Multiple other changes and syntax updates.

v4.1

  • LeechAgent support - remote memory acquisition and analysis.

v4.2

  • Signature updates:
    • Linux kernel module - LINUX_X64_48 (latest versions)
    • Win10 1903 kernel module - WIN10_X64_2 (requires windows version of PCILeech)

v4.3

  • Bug fixes.
  • Support for new device (NeTV2 / RawUDP) via LeechCore library.

v4.4

  • Bug fixes and stability improvements.
  • Support for MemProcFS v3 library.
  • Code signing of binaries.
  • "tlploop" command.

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

编程语言

编程语言

图科 / 李德龙 / 清华大学 / 2008-1 / 68.00元

本书第1版自1999年出版以来,编程语言的研究已得到迅猛发展。为此,新版尽量贴近现今的发展趋势,以适应当前和未来编程语言设计过程中所伴随的新挑战。本书除了进一步提高了4种程序设计范型及其所用的语言的广度和深度外,还大大丰富了关于语言设计原理的内容,并新增了如Python、Perl这类编程语言的例子。本书主要结构第一部分:原理。第2、4、5、7、9章分别讲述了编程语言的5个核心原理(语法、名称、类型......一起来看看 《编程语言》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

HEX HSV 转换工具
HEX HSV 转换工具

HEX HSV 互换工具