PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.
PCILeech supports multiple memory acquisition devices. Primarily hardware based, but also dump files and software based techniques based on select security issues are supported. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware is able to read all memory.
PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows/Linux/Android. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD, macOS and Windows.
PCILeech also supports the Memory Process File System – which can be used with PCILeech FPGA hardware devices in read-write mode or with memory dump files in read-only mode.
To get going clone the repository and find the required binaries, modules and configuration files in the pcileech_files folder.
Note : MacOS High Sierra is not supported.
PCILeech supports multiple hardware devices. Please check out the PCILeech FPGA project for information about supported FPGA based hardware. Please check out PCILeech USB3380 for information about USB3380 based hardware. PCILeech also support memory dump files for limited functionality.
Please find a device comparison table below.
Device | Type | Interface | Speed | 64-bit memory access | PCIe TLP access |
---|---|---|---|---|---|
AC701/FT601 | FPGA | USB3 | 150MB/s | Yes | Yes |
PCIeScreamer | FPGA | USB3 | 100MB/s | Yes | Yes |
SP605/FT601 | FPGA | USB3 | 75MB/s | Yes | Yes |
SP605/TCP | FPGA | TCP/IP | 100kB/s | Yes | Yes |
USB3380-EVB | USB3380 | USB3 | 150MB/s | No (via KMD only) | No |
PP3380 | USB3380 | USB3 | 150MB/s | No (via KMD only) | No |
Recommended adapters
Please note that other adapters may also work.
Also Read GoldenEye – GoldenEye Layer 7 DoS Test Tool
Please ensure you do have the most recent version of PCILeech by visiting the PCILeech github repository.
Clone the PCILeech Github repository. The binaries are found in pcileech_files and should work on 64-bit Windows and Linux. Please copy all files from pcileech_files since some files contains additional modules and signatures.
Please see the PCILeech-on-Windows guide for information about running PCILeech on Windows.
The Google Android USB driver have to be installed if USB3380 hardware is used. Download the Google Android USB driver from here Unzip the driver.
FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card. Download the 64-bit FTD3XX.dll
from FTDI and place it alongside pcileech.exe
.
To mount live ram and target file system as drive in Windows the Dokany file system library must be installed. Please download and install the latest version of Dokany.
Please see the PCILeech-on-Linux guide for information about running PCILeech on Linux or PCILeech-on-Android for Android information.
Please see the project wiki pages for more examples. The wiki is in a buildup phase and information may still be missing.
Mount target system live RAM and file system, requires that a KMD is loaded. In this example 0x11abc000 is used.
pcileech.exe mount -kmd 0x11abc000
Show help for a specific kernel implant, in this case lx64_filepull kernel implant.
pcileech.exe lx64_filepull -help
Show help for the dump command.
pcileech.exe dump -help
Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.
pcileech.exe dump -kmd 0x7fffe000
Force dump memory below 4GB including accessible memory mapped devices using more stable USB2 approach.
pcileech.exe dump -force -usb2
Receive PCIe TLPs (Transaction Layer Packets) and print them on screen (correctly configured FPGA dev board required).
pcileech.exe tlp -vv -wait 1000
Probe/Enumerate the memory of the target system for readable memory pages and maximum memory. (FPGA hardware only).
pcileech.exe probe
Dump all memory between addresses min and max, don’t stop on failed pages. Native access to 64-bit memory is only supported on FPGA hardware.
pcileech.exe dump -min 0x0 -max 0x21e5fffff -force
Force the usage of a specific device (instead of default auto detecting it). The sp605_tcp device is not auto detected.
pcileech.exe pagedisplay -min 0x1000 -device sp605_tcp -device-addr 192.168.1.2
Mount the PCILeech Memory Process File System from a Windows 10 64-bit memory image.
pcileech.exe mount -device c:\temp\memdump_win10.raw
Dump memory using the the reported “TotalMeltdown” Windows 7/2008R2 x64 PML4 page table permission vulnerability.
pcileech.exe dump -out memdump_win7.raw -device totalmeltdown -v -force
PCILeech comes with built in signatures for Windows, Linux, FreeBSD and macOS. For Windows 10 it is also possible to use the pcileech_gensig.exe program to generate alternative signatures.
pcileech.exe testmemreadwrite -min 0x1000
to test memory reads and writes against the physical address 0x1000 (or any other address) in order to confirm. If issues exists downgrading to USB2 may help.bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…