-
-
Notifications
You must be signed in to change notification settings - Fork 103
Device_FPGA_AMD_Thunderbolt
DMA may in some cases be problematic if you're targeting and AMD CPU or a Thunderbolt device.
DMA may not work at all or may stop working until the system is power cycled.
Please note that there may be other issues causing this as well! Such as the operating system using the IOMMU feature. If this is the case please try disabling the IOMMU feature in BIOS/UEFI. It's sometimes called VT-d.
DMA targeting AMD CPUs and Thunderbolt will frequently stop working if a DMA access is done towards physical memory outside the physical memory map. PCILeech and MemProcFS performs out-of-range DMA accesses as part of its memory auto-detection algorithm by default. Also other accesses may trigger out-of-range memory accesses. If the system enters such a state the DMA device must frequently be power-cycled (power off/on for PCIe devices or replugging Thunderbolt devices).
To resolve this both MemProcFS and PCILeech supports user supplied memory maps given in the -memmap
optional parameter.
The physical memory map usually stay the same between reboots. UEFI upgrades, memory upgrades and/or new PCIe devices connected may alter it.
If the target system memory map is known it's possible to supply it as a file to PCILeech and MemProcFS -memmap physmemmap.txt
. This is the recommended approach to avoid issues.
if the memory map is not known but it's possible to log on to the target Windows system the memory map may be retrieved using Sysinternals RAMMap from Microsoft.
The physical memory map is found in the tab Physical Ranges of RAMMap.
Save the Physical Ranges from RAMMap to a text file - physmemmap.txt:
0x1000 0xA0000
0x100000 0x9D00000
0xA000000 0xA200000
0xA20C000 0xB000000
0x38D0000 0x91EB000
0x93C2000 0xD94D9000
0xDA5E3000 0xDD000000
0x100000000 0x81F300000
MemProcFS and PCILeech supports the -memmap auto
option. If a Windows system is targeted a MemProcFS instance will be loaded and the memory map will be tried to extracted and used.
This only works on Windows targets.
There is a high risk of failure -memmap auto
should only be used as a last resort.
If MemProcFS is used the memory map file will be found in M:\sys\memmap\physmemmap.txt
This file may be copied and supplied to the memmap option as a file in subsequent requests - i.e. -memmap physmemmap.txt
.
Sample memmap.txt:
# Base Top
--------------------------------
0000 1000 - 9cfff
0001 100000 - 101fff
0002 103000 - bb37afff
0003 bb382000 - bb7dbfff
0004 bbc4c000 - cd216fff
0005 cefff000 - ceffffff
0006 100000000 - 42effffff
pcileech.exe dump -memmap auto
Dump memory from a Windows target using the memory map auto-detect. NB! this is a high risk operation and should only be used as last resort (please see above).
memprocfs.exe -memmap auto
Mount live memory from a Windows target using the memory map auto-detect. NB! this is a high risk operation and should only be used as last resort (please see above).
pcileech.exe dump -memmap physmemmap.txt
Dump memory from a target system using a user-supplied memory map containing valid physical memory ranges.
memprocfs.exe -memmap auto
Mount live memory from a Windows target using a user-supplied memory map containing valid physical memory ranges.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖