PCILeech Summary:

PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.

PCILeech also works without hardware together with a wide range of software memory acqusition methods supported by the LeechCore library - including capture of remote live memory using DumpIt or WinPmem. PCILeech also supports local capture of memory and a number of memory dump file formats.

PCILeech supports multiple memory acquisition devices. Both hardware and software based. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware, and software based methods, are able to read all memory.

PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels - allowing for easy access to live ram and the file system via a "mounted drive". It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows and Linux. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD and Windows. This requires write access to memory (USB3380 hardware, FPGA hardware, LiveCloudKd or CVE-2018-1038 "Total Meltdown").

To get going clone the sources in the repository or download the latest binaries, modules and configuration files.

The PushPin GUI frontend for PCILeech makes common RedTeam tasks super easy. Note that PushPin is not part of the official PCILeech distribution.

Capabilities:

Retrieve memory from the target system at >150MB/s.
Retrieve remote memory from remote LeechService.
Write data to the target system memory.
4GB memory can be accessed in native DMA mode (USB3380 hardware).
ALL memory can be accessed in native DMA mode (FPGA hardware).
ALL memory can be accessed if kernel module (KMD) is loaded.
Raw PCIe TLP access (FPGA hardware).
Mount live RAM as file [Linux, Windows, macOS Sierra*].
Mount file system as drive [Linux, Windows, macOS Sierra*].
Execute kernel code on the target system.
Spawn system shell and other executables [Windows].
Pull and Push files [Linux, FreeBSD, Windows, macOS Sierra*].
Patch / Unlock (remove password requirement) [Windows, macOS Sierra*].
Easy to create own kernel shellcode and/or custom signatures.
Connect to a remote LeechAgent over the network to remotely:
- Dump physical memory over the network.
- Execute Python memory analysis scripts on the remote host.
Even more features not listed here ...

*) macOS High Sierra and above are not supported.

Memory Acquisition Methods:

PCILeech supports both hardware based and software based memory acqusition methods. All memory acqusition is handled by the LeechCore library.

Hardware based memory aqusition methods:

Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however sports a slight performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows.

| Device | Type | Interface | Speed | 64-bit memory access | PCIe TLP access | Project Sponsor | | -------------------------------------------------------------------------------------------| ---- | --------- | ----- | -------------------- | --------------- | ------------------ | | ZDMA | FPGA | Thunderbolt3 | 1000MB/s | Yes | Yes | 💖 | | GBOX | FPGA | OCuLink | 400MB/s | Yes | Yes | 💖 | | LeetDMA | FPGA | USB-C | 190MB/s | Yes | Yes | 💖 | | CaptainDMA M2 | FPGA | USB-C | 190MB/s | Yes | Yes | 💖 | | CaptainDMA 4.1th | FPGA | USB-C | 190MB/s | Yes | Yes | 💖 | | CaptainDMA 75T | FPGA | USB-C | 200MB/s | Yes | Yes | 💖 | | CaptainDMA 100T | FPGA | USB-C | 220MB/s | Yes | Yes | 💖 | | AC701/FT601 | FPGA | USB3 | 190MB/s | Yes | Yes | | | USB3380-EVB | USB3380 | USB3 | 150MB/s | No | No | | | DMA patched HP iLO | BMC | TCP | 1MB/s | Yes | No | |

Software based memory aqusition methods:

Please find a summary of the supported software based memory acquisition methods listed below. Please note that the LeechService only provides a network connection to a remote LeechCore library. It's possible to use both hardware and software based memory acquisition once connected.

| Device | Type | Volatile | Write | Linux Support | Plugin | | -------------------------- | ---------------- | -------- | ----- | ------------- | ------ | | RAW physical memory dump | File | No | No | Yes | No | | Full Microsoft Crash Dump | File | No | No | Yes | No | | Full ELF Core Dump | File | No | No | Yes | No | | VMware | Live Memory | Yes | Yes | No | No | | VMware memory save file | File | No | No | Yes | No | | TotalMeltdown | CVE-2018-1038 | Yes | Yes | No | No | | DumpIt /LIVEKD | Live Memory | Yes | No | No | No | | WinPMEM | Live Memory | Yes | No | No | No | | LiveKd | Live Memory | Yes | No | No | No | | LiveCloudKd | Live Memory | Yes | Yes | No | Yes | | Hyper-V Saved State | File | No | No | No | Yes | | LeechAgent* | Remote | | | No | No |

Installing PCILeech:

Please ensure you do have the most recent version of PCILeech by visiting the PCILeech github repository at: https://github.com/ufrisk/pcileech

Get the latest binaries, modules and configuration files from the latest release. Alternatively clone the repository and build from source.

Windows:

Please see the PCILeech on Windows guide for information about running PCILeech on Windows.

The Google Android USB driver have to be installed if USB3380 hardware is used. Download the Google Android USB driver from: http://developer.android.com/sdk/win-usb.html#download Unzip the driver. FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card or PCIeScreamer. Download the 64-bit [FTD3XX.dll](h

Pcileech

Install / Use

README