Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over a IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port.
Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device.
The tool now has full read/write access to the lower 4GB of RAM on the victim.
Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code.
Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
After running that module you should be able to log into the victim machine using any password.
An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a [memory inception].
Inception is free as in beer and a side project of mine.
The world’s forensics experts, governments and three-letter acronym agencies are using [similar tools] 2 already. So if you are a dissident or facing an opressive regime, this tool illustrates why OPSEC is important. Never leave your laptop.
[OS X > 10.7.2] and [Windows > 8.1] 7 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, [OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs)] have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules even when the user is logged in. Look for vtd[0] fault entries in your log/console.
Even though these two caveats gradually will reduce the number of scenarios where this tool is useful, as of March 2015 [70 % of machines out there are still vulnerable].
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.
Inception requires:
Linux is currently recommended on the attacker side due to buggy firewire interfaces on OS X.
Note that direct ThunderBolt to ThunderBolt does not work, you need a FireWire adapter. Your mileage may vary when attempting to use Thunderbolt on Linux.
For more information click here.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…