Version 4.3

ufrisk · Oct 14, 2019 · 04f1630 · 04f1630
1 parent 7b3a253
commit 04f1630
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 48 deletions.
diff --git a/files/leechcore.h b/files/leechcore.h
@@ -59,7 +59,14 @@
 //           http://www.ftdichip.com/Drivers/D3XX/FTD3XXLibrary_v1.2.0.6.zip
 //           Syntax:
 //           FGPA
-//           FPGA://<read_uS>[:<write_uS>[:<probe_uS>]]   (values are optional)
+//           FPGA://pcie_gen:[<read_uS>[:<write_uS>[:<probe_uS>]]]
+//
+// RAWUDP :  hardware, read/write - connect to a remote FPGA over the network
+//           using a rudimentary UDP implmentation of the FPGA USB protocol.
+//           Supported devices: NeTV2 - https://github.com/ufrisk/pcileech-fpga
+//           Syntax:
+//           RAWUDP://<target_ipv4>:[pcie_gen:[<read_uS>[:<write_uS>[:<probe_uS>]]]]
+//           Example: RAWUDP://192.168.0.222
 //
 // SP605TCP : hardware, read/write - connect to a remote SP605 FPGA over the
 //           network using the implementation created by @d_olex.
@@ -92,10 +99,11 @@
 //           Syntax:
 //           TOTALMELTDOWN
 //
-// FILE :    use dump file, either a raw linear memory dump or full crash dump.
+// FILE :    use dump file, either a raw linear memory dump, full crash dump or
+//           full elf core dump (virtualbox).
 //           Which format to use is auto-detected. If it looks like a full cash
-//           dump that format will be used, otherwise it will be assumed that a
-//           raw linear memory dump is to be used.
+//           dump or full elf core dump those formats will be used, otherwise
+//           it will be assumed that a raw linear memory dump is to be used.
 //           Syntax:
 //           <filename>        (no device-type prefix - just use the file name)
 //           FILE://<filename>
@@ -126,7 +134,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 1.4
+// Header Version: 1.5
 //
 #ifndef __LEECHCORE_H__
 #define __LEECHCORE_H__
@@ -248,7 +256,7 @@ typedef struct tdLEECHCORE_CONFIG {
     WORD version;               // set by caller.
     WORD flags;                 // set by caller, updated by device.
     ULONG64 paMax;              // set by caller, updated by device.
-    ULONG64 cbMaxSizeMemIo;     // set by caller, updated by device.
+    ULONG64 cbMaxValueDummy;    // set by device. (dummy - set to MAX_VALUE [deprecated cbMaxSizeMemIo])
     ULONG64 paMaxNative;        // set by device.
     LEECHCORE_DEVICE tpDevice;  // set by device.
     BOOL fWritable;             // set by device. (is device writable?)
@@ -475,6 +483,9 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
 
 #define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP            0x00000101  // R
 #define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP           0x00000102  // R
+#define LEECHCORE_COMMANDDATA_FPGA_PCIECFGSPACE         0x00000103  // R
+#define LEECHCORE_COMMANDDATA_FPGA_CFGREGPCIE           0x00000104  // RW
+#define LEECHCORE_COMMANDDATA_FPGA_CFGREGCFG            0x00000105  // RW
 #define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET       0x00000201  // R
 #define LEECHCORE_COMMANDDATA_STATISTICS_GET            0x80000100  // R
 

diff --git a/pcileech/help.c b/pcileech/help.c
@@ -98,8 +98,6 @@ VOID Help_ShowGeneral()
         "   -force: force reads and writes even though target memory is marked as not   \n" \
         "          accessible. Dangerous! Affects all modes and commands.               \n" \
         "          Option has no value. Example: -force                                 \n" \
-        "   -iosize: max i/o size. Hardware DMA requests larger than iosize will be     \n" \
-        "          discarded. Affects all modes and commands.                           \n" \
         "   -tlpwait: Wait in seconds while listening for PCIe TLPs.                    \n" \
         "          Wait occurs after any other actions have been completed.             \n" \
         "   -help: show help about the selected command or implant and then exit        \n" \

diff --git a/pcileech/leechcore.h b/pcileech/leechcore.h
@@ -59,7 +59,14 @@
 //           http://www.ftdichip.com/Drivers/D3XX/FTD3XXLibrary_v1.2.0.6.zip
 //           Syntax:
 //           FGPA
-//           FPGA://<read_uS>[:<write_uS>[:<probe_uS>]]   (values are optional)
+//           FPGA://pcie_gen:[<read_uS>[:<write_uS>[:<probe_uS>]]]
+//
+// RAWUDP :  hardware, read/write - connect to a remote FPGA over the network
+//           using a rudimentary UDP implmentation of the FPGA USB protocol.
+//           Supported devices: NeTV2 - https://github.com/ufrisk/pcileech-fpga
+//           Syntax:
+//           RAWUDP://<target_ipv4>:[pcie_gen:[<read_uS>[:<write_uS>[:<probe_uS>]]]]
+//           Example: RAWUDP://192.168.0.222
 //
 // SP605TCP : hardware, read/write - connect to a remote SP605 FPGA over the
 //           network using the implementation created by @d_olex.
@@ -92,10 +99,11 @@
 //           Syntax:
 //           TOTALMELTDOWN
 //
-// FILE :    use dump file, either a raw linear memory dump or full crash dump.
+// FILE :    use dump file, either a raw linear memory dump, full crash dump or
+//           full elf core dump (virtualbox).
 //           Which format to use is auto-detected. If it looks like a full cash
-//           dump that format will be used, otherwise it will be assumed that a
-//           raw linear memory dump is to be used.
+//           dump or full elf core dump those formats will be used, otherwise
+//           it will be assumed that a raw linear memory dump is to be used.
 //           Syntax:
 //           <filename>        (no device-type prefix - just use the file name)
 //           FILE://<filename>
@@ -126,7 +134,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 1.4
+// Header Version: 1.5
 //
 #ifndef __LEECHCORE_H__
 #define __LEECHCORE_H__
@@ -248,7 +256,7 @@ typedef struct tdLEECHCORE_CONFIG {
     WORD version;               // set by caller.
     WORD flags;                 // set by caller, updated by device.
     ULONG64 paMax;              // set by caller, updated by device.
-    ULONG64 cbMaxSizeMemIo;     // set by caller, updated by device.
+    ULONG64 cbMaxValueDummy;    // set by device. (dummy - set to MAX_VALUE [deprecated cbMaxSizeMemIo])
     ULONG64 paMaxNative;        // set by device.
     LEECHCORE_DEVICE tpDevice;  // set by device.
     BOOL fWritable;             // set by device. (is device writable?)
@@ -475,6 +483,9 @@ DLLEXPORT BOOL LeechCore_SetOption(_In_ ULONG64 fOption, _In_ ULONG64 qwValue);
 
 #define LEECHCORE_COMMANDDATA_FPGA_WRITE_TLP            0x00000101  // R
 #define LEECHCORE_COMMANDDATA_FPGA_LISTEN_TLP           0x00000102  // R
+#define LEECHCORE_COMMANDDATA_FPGA_PCIECFGSPACE         0x00000103  // R
+#define LEECHCORE_COMMANDDATA_FPGA_CFGREGPCIE           0x00000104  // RW
+#define LEECHCORE_COMMANDDATA_FPGA_CFGREGCFG            0x00000105  // RW
 #define LEECHCORE_COMMANDDATA_FILE_DUMPHEADER_GET       0x00000201  // R
 #define LEECHCORE_COMMANDDATA_STATISTICS_GET            0x80000100  // R
 

diff --git a/pcileech/memdump.c b/pcileech/memdump.c
@@ -258,7 +258,7 @@ VOID ActionMemoryProbe()
             return;
         }
         for(i = 0; i < cPages; i++) {
-            PageStatUpdate(pPageStat, (qwA + i * 0x1000), (pbResultMap[i] ? 1 : 0), (pbResultMap[i] ? 0 : 1));
+            PageStatUpdate(pPageStat, (qwA + i * 0x1000 + 0x1000), (pbResultMap[i] ? 1 : 0), (pbResultMap[i] ? 0 : 1));
         }
         qwA += MEMORY_PROBE_PAGES_PER_SWEEP * 0x1000;
     }

diff --git a/pcileech/pcileech.c b/pcileech/pcileech.c
@@ -56,7 +56,6 @@ BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[])
     ctxMain->cfg.tpAction = NA;
     ctxMain->cfg.qwAddrMax = ~0;
     ctxMain->cfg.fOutFile = TRUE;
-    ctxMain->cfg.qwMaxSizeDmaIo = ~0;
     // fetch command line actions/options
     loop:
     while(i < argc) {
@@ -116,9 +115,6 @@ BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[])
             ctxMain->cfg.qwCR3 = Util_GetNumeric(argv[i + 1]);
         } else if(0 == strcmp(argv[i], "-efibase")) {
             ctxMain->cfg.qwEFI_IBI_SYST = Util_GetNumeric(argv[i + 1]);
-        } else if(0 == strcmp(argv[i], "-iosize")) {
-            ctxMain->cfg.qwMaxSizeDmaIo = Util_GetNumeric(argv[i + 1]);
-            ctxMain->cfg.qwMaxSizeDmaIo = ~0xfff & max(0x1000, ctxMain->cfg.qwMaxSizeDmaIo);
         } else if(0 == strcmp(argv[i], "-tlpwait")) {
             ctxMain->cfg.dwListenTlpTimeMs = (DWORD)(1000 * Util_GetNumeric(argv[i + 1]));
         } else if((0 == strcmp(argv[i], "-device")) || (0 == strcmp(argv[i], "-z"))) {
@@ -167,8 +163,6 @@ BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[])
 VOID PCILeechConfigFixup()
 {
     QWORD qw;
-    // device specific configuration
-    ctxMain->cfg.qwMaxSizeDmaIo = min(ctxMain->cfg.qwMaxSizeDmaIo, ctxMain->dev.cbMaxSizeMemIo);
     // no kmd -> max address == max address that device support
     if(!ctxMain->cfg.szKMDName[0] && !ctxMain->cfg.qwKMD) {
         if(ctxMain->cfg.qwAddrMax == 0 || ctxMain->cfg.qwAddrMax > ctxMain->dev.paMaxNative) {

diff --git a/pcileech/pcileech.h b/pcileech/pcileech.h
@@ -71,7 +71,6 @@ typedef struct tdConfig {
     CHAR szKMDName[MAX_PATH];
     CHAR szShellcodeName[MAX_PATH];
     CHAR szHook[MAX_PATH];
-    QWORD qwMaxSizeDmaIo;
     DWORD dwListenTlpTimeMs;
     // flags below
     BOOL fPageTableScan;

diff --git a/pcileech/statistics.c b/pcileech/statistics.c
@@ -47,7 +47,7 @@ VOID _PageStatShowUpdate(_Inout_ PPAGE_STATISTICS ps)
     QWORD qwSpeed = ((ps->cPageSuccess + ps->cPageFail) * 4) / (1 + (qwTickCountElapsed / 1000));
     HANDLE hConsole;
     CONSOLE_SCREEN_BUFFER_INFO consoleInfo;
-    BOOL isMBs = qwSpeed >= 1024;
+    BOOL isMBs = qwSpeed >= 2048;
     if(ps->i.fIsFirstPrintCompleted) {
 #ifdef WIN32
         hConsole = GetStdHandle(STD_OUTPUT_HANDLE);

diff --git a/pcileech/util.c b/pcileech/util.c
@@ -697,7 +697,7 @@ VOID Util_WaitForPowerCycle()
 
 #define UTIL_PRINTASCII \
     "................................ !\"#$%&'()*+,-./0123456789:;<=>?" \
-    "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz`{|}~" \
+    "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ " \
     "................................................................" \
     "................................................................" \
 

diff --git a/pcileech/version.h b/pcileech/version.h
@@ -2,9 +2,9 @@
 #define STRINGIZE(s) STRINGIZE2(s)
 
 #define VERSION_MAJOR               4
-#define VERSION_MINOR               2
-#define VERSION_REVISION            1
-#define VERSION_BUILD               1
+#define VERSION_MINOR               3
+#define VERSION_REVISION            0
+#define VERSION_BUILD               2
 
 #define VER_FILE_DESCRIPTION_STR    "The PCILeech Direct Memory Access Attack Toolkit"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/pcileech/vmmdll.h b/pcileech/vmmdll.h
@@ -4,7 +4,7 @@
 // (c) Ulf Frisk, 2018-2019
 // Author: Ulf Frisk, pcileech@frizk.net
 //
-// Header Version: 2.10
+// Header Version: 2.11
 //
 
 #include <windows.h>
@@ -88,7 +88,6 @@ VOID VMMDLL_MemFree(_Frees_ptr_opt_ PVOID pvMem);
 #define VMMDLL_OPT_CORE_VERBOSE_EXTRA                   0x80000003  // RW
 #define VMMDLL_OPT_CORE_VERBOSE_EXTRA_TLP               0x80000004  // RW
 #define VMMDLL_OPT_CORE_MAX_NATIVE_ADDRESS              0x80000005  // R
-#define VMMDLL_OPT_CORE_MAX_NATIVE_IOSIZE               0x80000006  // R
 #define VMMDLL_OPT_CORE_SYSTEM                          0x80000007  // R
 #define VMMDLL_OPT_CORE_MEMORYMODEL                     0x80000008  // R
 

diff --git a/readme.md b/readme.md
@@ -45,25 +45,16 @@ PCILeech supports both hardware based and software based memory acqusition metho
 
 Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however sports a slight performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows.
 
-| Device                                    | Type | Interface | Speed | 64-bit memory access | PCIe TLP access |
-| ---------------------------------------------------------------------- | ------- | ---- | ------- | --- | --- |
-| [AC701/FT601](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)    | FPGA    | USB3 | 150MB/s | Yes | Yes |
-| [PCIeScreamer](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)   | FPGA    | USB3 | 100MB/s | Yes | Yes |
-| [SP605/FT601](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)    | FPGA    | USB3 |  75MB/s | Yes | Yes |
-| [SP605/TCP](https://github.com/ufrisk/LeechCore/wiki/Device_SP605TCP)  | FPGA  | TCP/IP | 100kB/s | Yes | Yes |
-| [USB3380-EVB](https://github.com/ufrisk/LeechCore/wiki/Device_USB3380) | USB3380 | USB3 | 150MB/s | No  | No  |
-| [PP3380](https://github.com/ufrisk/LeechCore/wiki/Device_USB3380)      | USB3380 | USB3 | 150MB/s | No  | No  |
-| [DMA patched HP iLO](https://github.com/ufrisk/LeechCore/wiki/Device_iLO) | TCP/IP | TCP | 1MB/s  | Yes | No  |
-
-#### Recommended adapters:
-* PE3B - ExpressCard to mini-PCIe.
-* PE3A - ExpressCard to PCIe.
-* ADP - PCIe to mini-PCIe.
-* P15S-P15F - M.2 Key A+E to mini-PCIe.
-* Sonnet Echo ExpressCard Pro - Thunderbolt to ExpressCard.
-* Apple Thunderbolt3 (USB-C) - Thunderbolt2 dongle.
-
-Please note that other adapters may also work.
+| Device                                      | Type | Interface | Speed | 64-bit memory access | PCIe TLP access |
+| ---------------------------------------------------------------------- | ------- | ------ | ------- | --- | --- |
+| [AC701/FT601](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)    | FPGA    | USB3   | 150MB/s | Yes | Yes |
+| [PCIeScreamer](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)   | FPGA    | USB3   | 100MB/s | Yes | Yes |
+| [SP605/FT601](https://github.com/ufrisk/LeechCore/wiki/Device_FPGA)    | FPGA    | USB3   |  75MB/s | Yes | Yes |
+| [SP605/TCP](https://github.com/ufrisk/LeechCore/wiki/Device_SP605TCP)  | FPGA    | TCP/IP | 100kB/s | Yes | Yes |
+| [NeTV2/UDP](https://github.com/ufrisk/LeechCore/wiki/Device_RawUDP)    | FPGA    | UDP/IP |   7MB/s | Yes | Yes |
+| [USB3380-EVB](https://github.com/ufrisk/LeechCore/wiki/Device_USB3380) | USB3380 | USB3   | 150MB/s | No  | No  |
+| [PP3380](https://github.com/ufrisk/LeechCore/wiki/Device_USB3380)      | USB3380 | USB3   | 150MB/s | No  | No  |
+| [DMA patched HP iLO](https://github.com/ufrisk/LeechCore/wiki/Device_iLO) | BMC  | TCP/IP |   1MB/s | Yes | No  |
 
 ### Software based memory aqusition methods:
 
@@ -73,6 +64,7 @@ Please find a summary of the supported software based memory acquisition methods
 | -------------------------- | ---------------- | ------------- |
 | [RAW physical memory dump](https://github.com/ufrisk/LeechCore/wiki/Device_File)         | File             | Yes |
 | [Full Microsoft Crash Dump](https://github.com/ufrisk/LeechCore/wiki/Device_File)        | File             | Yes |
+| [Full ELF Core Dump](https://github.com/ufrisk/LeechCore/wiki/Device_File)               | File             | Yes |
 | [Hyper-V Saved State](https://github.com/ufrisk/LeechCore/wiki/Device_HyperV_SavedState) | File             | No  |
 | [TotalMeltdown](https://github.com/ufrisk/LeechCore/wiki/Device_Totalmeltdown)           | CVE-2018-1038    | No  |
 | [DumpIt /LIVEKD](https://github.com/ufrisk/LeechCore/wiki/Device_DumpIt)                 | Live&nbsp;Memory | No  |
@@ -197,3 +189,7 @@ v4.1
 * Signature updates:
   * Linux kernel module - LINUX_X64_48 (latest versions)
   * Win10 1903 kernel module - WIN10_X64_2 (requires windows version of PCILeech)
+
+[v4.3](https://github.com/ufrisk/pcileech/releases/tag/v4.3)
+* Bug fixes.
+* Support for new device (NeTV2 / RawUDP) via LeechCore library.