PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.
PCILeech supports multiple memory acquisition devices. Primarily hardware based, but also dump files and software based techniques based on select security issues are supported. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware is able to read all memory.
PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows/Linux/Android. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD, macOS and Windows.
PCILeech also supports the Memory Process File System – which can be used with PCILeech FPGA hardware devices in read-write mode or with memory dump files in read-only mode.
To get going clone the repository and find the required binaries, modules and configuration files in the pcileech_files folder.
- Retrieve memory from the target system at >150MB/s.
- Write data to the target system memory.
- 4GB memory can be accessed in native DMA mode (USB3380 hardware).
- ALL memory can be accessed in native DMA mode (FPGA hardware).
- ALL memory can be accessed if kernel module (KMD) is loaded.
- Raw PCIe TLP access (FPGA hardware).
- Mount live RAM as file [Linux, Windows, macOS*].
- Mount file system as drive [Linux, Windows, macOS*].
- Mount memory process file system as driver [Windows].
- Execute kernel code on the target system.
- Spawn system shell [Windows].
- Spawn any executable [Windows].
- Pull files [Linux, FreeBSD, Windows, macOS*].
- Push files [Linux, Windows, macOS*].
- Patch / Unlock (remove password requirement) [Windows, macOS*].
- Easy to create own kernel shellcode and/or custom signatures.
- Even more features not listed here …
Note : MacOS High Sierra is not supported.
PCILeech supports multiple hardware devices. Please check out the PCILeech FPGA project for information about supported FPGA based hardware. Please check out PCILeech USB3380 for information about USB3380 based hardware. PCILeech also support memory dump files for limited functionality.
Please find a device comparison table below.
|Device||Type||Interface||Speed||64-bit memory access||PCIe TLP access|
|USB3380-EVB||USB3380||USB3||150MB/s||No (via KMD only)||No|
|PP3380||USB3380||USB3||150MB/s||No (via KMD only)||No|
- PE3B – ExpressCard to mini-PCIe.
- PE3A – ExpressCard to PCIe.
- ADP – PCIe to mini-PCIe.
- P15S-P15F – M.2 Key A+E to mini-PCIe.
- Sonnet Echo ExpressCard Pro – Thunderbolt to ExpressCard.
- Apple Thunderbolt3 (USB-C) – Thunderbolt2 dongle.
Please note that other adapters may also work.
Please ensure you do have the most recent version of PCILeech by visiting the PCILeech github repository.
Clone the PCILeech Github repository. The binaries are found in pcileech_files and should work on 64-bit Windows and Linux. Please copy all files from pcileech_files since some files contains additional modules and signatures.
Please see the PCILeech-on-Windows guide for information about running PCILeech on Windows.
The Google Android USB driver have to be installed if USB3380 hardware is used. Download the Google Android USB driver from here Unzip the driver.
FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card. Download the 64-bit
FTD3XX.dll from FTDI and place it alongside
To mount live ram and target file system as drive in Windows the Dokany file system library must be installed. Please download and install the latest version of Dokany.
Linux and Android
Please see the project wiki pages for more examples. The wiki is in a buildup phase and information may still be missing.
Mount target system live RAM and file system, requires that a KMD is loaded. In this example 0x11abc000 is used.
pcileech.exe mount -kmd 0x11abc000
Show help for a specific kernel implant, in this case lx64_filepull kernel implant.
pcileech.exe lx64_filepull -help
Show help for the dump command.
pcileech.exe dump -help
Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.
pcileech.exe dump -kmd 0x7fffe000
Force dump memory below 4GB including accessible memory mapped devices using more stable USB2 approach.
pcileech.exe dump -force -usb2
Receive PCIe TLPs (Transaction Layer Packets) and print them on screen (correctly configured FPGA dev board required).
pcileech.exe tlp -vv -wait 1000
Probe/Enumerate the memory of the target system for readable memory pages and maximum memory. (FPGA hardware only).
Dump all memory between addresses min and max, don’t stop on failed pages. Native access to 64-bit memory is only supported on FPGA hardware.
pcileech.exe dump -min 0x0 -max 0x21e5fffff -force
Force the usage of a specific device (instead of default auto detecting it). The sp605_tcp device is not auto detected.
pcileech.exe pagedisplay -min 0x1000 -device sp605_tcp -device-addr 192.168.1.2
Mount the PCILeech Memory Process File System from a Windows 10 64-bit memory image.
pcileech.exe mount -device c:\temp\memdump_win10.raw
Dump memory using the the reported “TotalMeltdown” Windows 7/2008R2 x64 PML4 page table permission vulnerability.
pcileech.exe dump -out memdump_win7.raw -device totalmeltdown -v -force
PCILeech comes with built in signatures for Windows, Linux, FreeBSD and macOS. For Windows 10 it is also possible to use the pcileech_gensig.exe program to generate alternative signatures.
- Read and write errors on some hardware with the USB3380. Try
pcileech.exe testmemreadwrite -min 0x1000to test memory reads and writes against the physical address 0x1000 (or any other address) in order to confirm. If issues exists downgrading to USB2 may help.
- The PCIeScreamer device may currently experience instability depending on target configuration and any adapters used.
- Does not work if the OS uses the IOMMU/VT-d. This is the default on macOS (unless disabled in recovery mode). Windows 10 with Virtualization based security features enabled does not work fully – this is however not the default setting in Windows 10 or Linux.
- Some Linux kernels does not work. Sometimes a required symbol is not exported in the kernel and PCILeech fails.
- Linux based on the 4.8 kernel and later might not work with the USB3380 hardware. As an alternative, if target root access exists, compile and insert .ko (pcileech_kmd/linux). If the system is EFI booted an alternative signature exists.
- Windows 7: signatures are not published.
- File system mount, including the Memory Process File System, support only exists for Windows.