-
-
Notifications
You must be signed in to change notification settings - Fork 756
PCILeech on Windows
This section is about running PCILeech on Windows. For more information about targeting Windows systems please check Target: Windows. Please find a pre-compiled binary version of pcileech in the latest release in the PCILeech repo.
PCILeech is dependent on the LeechCore library for memory acquisition. The LeechCore library is distributed in the binary release. For more information about LeechCore and LeechService capture library and service and the full range of memory acquisition options please have a look the github project for LeechCore.
For some functionality such as the pslist and psvirt2phys commands and some Windows injection techniques PCILeech is dependent on the MemProcFS vmm.dll. Please check out MemProcFS and copy the vmm.dll into the pcileech\files folder alongside pcileech.exe if this functionality is to be used. Note that MemProcFS only exists for Windows.
The Google Android USB driver also have to be installed if USB3380 hardware is used. Download the Google Android USB driver from: http://developer.android.com/sdk/win-usb.html#download Unzip the driver. Open Device Manager. Right click on the computer, choose add legacy hardware. Select install the hardware manually. Click Have Disk. Navigate to the Android Driver, select android_winusb.inf and install.
FTDI drivers have to be installed if FPGA is used with FT601 USB3 addon card. FTDI drivers will installed automatically on Windows from Windows Update at first connection. PCILeech also requires 64-bit FTD3XX.dll which must be downloaded from FTDI and placed alongside pcileech.exe.
To use the mount functionality including:
- Mount target computer file system as folder.
- Mount target computer live RAM as file.
- The Memory Process File System.
The Dokany file system library must be installed. Please download and install the latest version of Dokany at: https://github.com/dokan-dev/dokany/releases/latest
PCILeech is dependent on (https://github.com/ufrisk/LeechCore). Please ensure LeechCore is placed alongside PCILeech.
Open the PCILeech project in Visual Studio 2017 or later. Enable the LeechCore project in the solution. Build. The resulting binaries will be placed in the pcileech\files folder.
To build individual shellcode kernel modules and implants please individual instructions in each source file.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖