Inception – A Deep Dive Into PCI-Based DMA Memory Hacking

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.

Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How It Works

Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over a IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port.

Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device.

The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code.

Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a [memory inception].

Inception is free as in beer and a side project of mine.

Awesome! But Why?

The world’s forensics experts, governments and three-letter acronym agencies are using [similar tools] 2 already. So if you are a dissident or facing an opressive regime, this tool illustrates why OPSEC is important. Never leave your laptop.

Caveats

[OS X > 10.7.2] and [Windows > 8.1] 7 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.

In addition, [OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs)] have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules even when the user is logged in. Look for vtd[0] fault entries in your log/console.

Even though these two caveats gradually will reduce the number of scenarios where this tool is useful, as of March 2015 [70 % of machines out there are still vulnerable].

Key Data

• Version: 0.4.2
• License: GPL
• Author: Carsten Maartmann-Moe (carsten@carmaa.com)
• Twitter: @MaartmannMoe

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Requirements

Inception requires:

• Hardware:
  • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire interface, either through a native FireWire port, an ExpressCard/PCMCIA expansion port or a Thunderbolt to FireWire adapter.
  • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port

Linux is currently recommended on the attacker side due to buggy firewire interfaces on OS X.

Note that direct ThunderBolt to ThunderBolt does not work, you need a FireWire adapter. Your mileage may vary when attempting to use Thunderbolt on Linux.

• Software:
  • Python 3
  • git
  • gcc (incl. g++)
  • cmake
  • pip (for automatic resolution of dependencies)
  • [libforensic1394]
  • msgpack

For more information click here.