A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #31332  by TechLord
 Wed Mar 14, 2018 10:45 am
Direct Memory Access (DMA) Attack Software - Map Processes to Files and Folders - DMA over PCIe (No Drivers Needed on Target System)

Github Sources

Project Wiki Pages

Youtube Channel with Example Videos


Retrieve memory from the target system at >150MB/s.
Write data to the target system memory.
4GB memory can be accessed in native DMA mode (USB3380 hardware).
ALL memory can be accessed in native DMA mode (FPGA hardware).
ALL memory can be accessed if kernel module (KMD) is loaded.
Raw PCIe TLP access (FPGA hardware).
Mount live RAM as file [Linux, Windows, macOS*].
Mount file system as drive [Linux, Windows, macOS*].
Mount memory process file system as driver [Windows].
Execute kernel code on the target system.
Spawn system shell [Windows].
Spawn any executable [Windows].
Load unsigned drivers [Windows].
Pull files [Linux, FreeBSD, Windows, macOS*].
Push files [Linux, Windows, macOS*].
Patch / Unlock (remove password requirement) [Windows, macOS*].
Easy to create own kernel shellcode and/or custom signatures.
Even more features not listed here ...

Functionality and Limitations :

The Memory Process File System is currently only supported when running PCILeech on Windows.
x64 64-bit target operating systems only, no 32-bit, no ARM.
Read-only mode on memory dump files, read-write mode if PCILeech FPGA is used on a live system.
Automatic process identification only in Windows memory dumps.
Automatic identification of EPROCESS, PEB and DLL addresses in Windows memory dumps.
May fail on memory dumps taken from Virtual Machines, such as VirtualBox.
May fail for various other reasons as well.