Direct Memory Access (DMA) Attack Software - Map Processes to Files and Folders - DMA over PCIe (No Drivers Needed on Target System)
Github Sources
Project Wiki Pages
Youtube Channel with Example Videos
Capabilities:
Retrieve memory from the target system at >150MB/s.
Write data to the target system memory.
4GB memory can be accessed in native DMA mode (USB3380 hardware).
ALL memory can be accessed in native DMA mode (FPGA hardware).
ALL memory can be accessed if kernel module (KMD) is loaded.
Raw PCIe TLP access (FPGA hardware).
Mount live RAM as file [Linux, Windows, macOS*].
Mount file system as drive [Linux, Windows, macOS*].
Mount memory process file system as driver [Windows].
Execute kernel code on the target system.
Spawn system shell [Windows].
Spawn any executable [Windows].
Load unsigned drivers [Windows].
Pull files [Linux, FreeBSD, Windows, macOS*].
Push files [Linux, Windows, macOS*].
Patch / Unlock (remove password requirement) [Windows, macOS*].
Easy to create own kernel shellcode and/or custom signatures.
Even more features not listed here ...
Functionality and Limitations :
The Memory Process File System is currently only supported when running PCILeech on Windows.
x64 64-bit target operating systems only, no 32-bit, no ARM.
Read-only mode on memory dump files, read-write mode if PCILeech FPGA is used on a live system.
Automatic process identification only in Windows memory dumps.
Automatic identification of EPROCESS, PEB and DLL addresses in Windows memory dumps.
May fail on memory dumps taken from Virtual Machines, such as VirtualBox.
May fail for various other reasons as well.
Github Sources
Project Wiki Pages
Youtube Channel with Example Videos
Capabilities:
Retrieve memory from the target system at >150MB/s.
Write data to the target system memory.
4GB memory can be accessed in native DMA mode (USB3380 hardware).
ALL memory can be accessed in native DMA mode (FPGA hardware).
ALL memory can be accessed if kernel module (KMD) is loaded.
Raw PCIe TLP access (FPGA hardware).
Mount live RAM as file [Linux, Windows, macOS*].
Mount file system as drive [Linux, Windows, macOS*].
Mount memory process file system as driver [Windows].
Execute kernel code on the target system.
Spawn system shell [Windows].
Spawn any executable [Windows].
Load unsigned drivers [Windows].
Pull files [Linux, FreeBSD, Windows, macOS*].
Push files [Linux, Windows, macOS*].
Patch / Unlock (remove password requirement) [Windows, macOS*].
Easy to create own kernel shellcode and/or custom signatures.
Even more features not listed here ...
Functionality and Limitations :
The Memory Process File System is currently only supported when running PCILeech on Windows.
x64 64-bit target operating systems only, no 32-bit, no ARM.
Read-only mode on memory dump files, read-write mode if PCILeech FPGA is used on a live system.
Automatic process identification only in Windows memory dumps.
Automatic identification of EPROCESS, PEB and DLL addresses in Windows memory dumps.
May fail on memory dumps taken from Virtual Machines, such as VirtualBox.
May fail for various other reasons as well.
