Version 3.7 - Add Raw TCP device

pcileech/devicerawtcp.c

@@ -160,7 +160,7 @@ BOOL DeviceRawTCP_ReadDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qwAd
 
 	cbRead = 0;
 	while (cbRead < Rx.cb) {
-		len = recv(ctxrawtcp->Sock, (char *)pb + cbRead, Rx.cb - cbRead, 0);
+		len = recv(ctxrawtcp->Sock, (char *)pb + cbRead, (int)(Rx.cb - cbRead), 0);
 		if (len == SOCKET_ERROR || len == 0) {
 			fprintf(stderr, "ERROR: recv() fails\n");
 			return 0;
@@ -213,7 +213,7 @@ BOOL DeviceRawTCP_WriteDMA(_Inout_ PPCILEECH_CONTEXT ctxPcileech, _In_ QWORD qwA
 	}
 
 	if (Rx.cmd != MEM_WRITE) {
-		fprintf(stderr, "ERROR: Memory write fail\n", cbRead);
+		fprintf(stderr, "ERROR: Memory write fail\n");
 	}
 
 	return cbWritten >= cb;

pcileech/help.c

@@ -94,10 +94,10 @@ VOID Help_ShowGeneral()
         "          Wait occurs after any other actions have been completed.             \n" \
         "   -device: force the use of a specific hardware device instead of auto-detect.\n" \
         "          Affects all modes and commands.                                      \n" \
-        "          Valid options: USB3380, FPGA, SP605_TCP, <memory-dump-file-name> or  \n" \
-        "          TOTALMELTDOWN                                                        \n" \
-        "   -device-addr: Remote address for -device SP605_TCP.                         \n" \
-        "   -device-port: Remote TCP port for -device SP605_TCP. Default value: 28472.  \n" \
+        "          Valid options: USB3380, FPGA, SP605_TCP, RAWTCP, TOTALMELTDOWN or    \n" \
+        "          <memory-dump-file-name>.                                             \n" \
+        "   -device-addr: Remote address for -device RAWTCP and SP605_TCP.              \n" \
+        "   -device-port: Remote TCP port for -device RAWTCP and SP605_TCP. (optional). \n" \
         "   -device-opt[0-3]: Optional additional device configuration for some devices.\n" \
         "          FPGA device (NB! 0 = default!): -device-opt0 = delay read uS         \n" \
         "                -device-opt1 = delay write uS, -device-opt2 = delay probe uS   \n" \
@@ -142,7 +142,7 @@ VOID Help_ShowInfo()
 {
     printf(
         " PCILEECH INFORMATION                                                          \n" \
-        " PCILeech (c) 2016-2018 Ulf Frisk                                              \n" \
+        " PCILeech (c) 2016-2019 Ulf Frisk                                              \n" \
         " Version: " \
         PCILEECH_VERSION_CURRENT \
         "                                                                \n" \
@@ -155,6 +155,7 @@ VOID Help_ShowInfo()
         "   Google USB Driver - https://developer.android.com/sdk/win-usb.html          \n" \
         "   FTDI FT601 Driver - http://www.ftdichip.com/Drivers/D3XX.htm                \n" \
         "   PCIe Injector     - https://github.com/enjoy-digital/pcie_injector          \n" \
+        "   iLO DMA firmware  - https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html \n" \
         "   Dokany            - https://github.com/dokan-dev/dokany/releases/latest     \n" \
         " ----------------                                                              \n" \
         " Use with memory dump files in read-only mode.                                 \n" \

pcileech/pcileech.h

@@ -7,7 +7,7 @@
 #define __PCILEECH_H__
 #include "oscompatibility.h"
 
-#define PCILEECH_VERSION_CURRENT            "3.6.2"
+#define PCILEECH_VERSION_CURRENT            "3.7.0"
 
 #define SIZE_PAGE_ALIGN_4K(x)                ((x + 0xfff) & ~0xfff)
 #define CONFIG_MAX_SIGNATURES                16

pcileech/pcileech.vcxproj

@@ -193,6 +193,7 @@
     <ClInclude Include="device605_tcp.h" />
     <ClInclude Include="devicefile.h" />
     <ClInclude Include="devicefpga.h" />
+    <ClInclude Include="devicerawtcp.h" />
     <ClInclude Include="devicetmd.h" />
     <ClInclude Include="dokan.h" />
     <ClInclude Include="executor.h" />
@@ -219,6 +220,7 @@
     <ClCompile Include="device605_tcp.c" />
     <ClCompile Include="devicefile.c" />
     <ClCompile Include="devicefpga.c" />
+    <ClCompile Include="devicerawtcp.c" />
     <ClCompile Include="devicetmd.c" />
     <ClCompile Include="executor.c" />
     <ClCompile Include="extra.c" />

pcileech/pcileech.vcxproj.filters

@@ -90,6 +90,9 @@
     <ClInclude Include="pcileech_dll.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="devicerawtcp.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="device.c">
@@ -158,6 +161,9 @@
     <ClCompile Include="pcileech_dll.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="devicerawtcp.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">

readme.md

@@ -2,7 +2,7 @@ PCILeech Summary:
 =================
 PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system. 
 
-<b>PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 [Total Meltdown / CVE-2018-1038](https://blog.frizk.net/2018/03/total-meltdown.html) vulnerability.</b>
+PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 [Total Meltdown / CVE-2018-1038](https://blog.frizk.net/2018/03/total-meltdown.html) vulnerability. In addition to locally connected devices PCILeech also support DMA patched iLO interfaces.
 
 PCILeech supports multiple memory acquisition devices. Primarily hardware based, but also dump files and software based techniques based on select security issues are supported. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware is able to read all memory.
 
@@ -52,6 +52,7 @@ Please find a device comparision table below.
 | [SP605/TCP](https://github.com/ufrisk/pcileech-fpga/)    | FPGA  | TCP/IP | 100kB/s | Yes               | Yes |
 | [USB3380-EVB](usb3380.md)                                | USB3380 | USB3 | 150MB/s | No (via KMD only) | No  |
 | [PP3380](usb3380.md)                                     | USB3380 | USB3 | 150MB/s | No (via KMD only) | No  |
+| [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html) | TCP | TCP | 1MB/s | Yes | No |
 
 Recommended adapters:
 * PE3B - ExpressCard to mini-PCIe.
@@ -122,6 +123,9 @@ Mount the PCILeech Memory Process File System from a Windows 10 64-bit memory im
 Dump memory using the the reported "TotalMeltdown" [Windows 7/2008R2 x64 PML4 page table permission vulnerability](https://blog.frizk.net/2018/03/total-meltdown.html).
 * ` pcileech.exe dump -out memdump_win7.raw -device totalmeltdown -v -force `
 
+Insert a kernel module into a running Linux system remotely via a [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html).
+* ` pcileech.exe kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd LINUX_X64_48 `
+
 Generating Signatures:
 ======================
 PCILeech comes with built in signatures for Windows, Linux, FreeBSD and macOS. For Windows 10 it is also possible to use the pcileech_gensig.exe program to generate alternative signatures.
@@ -187,3 +191,6 @@ v3.5
 v3.6
 * Various bug fixes (including 'missing dlls' issue).
 * Additional functionality exported from DLL.
+
+v3.7
+* Support for RAWTCP device - used to communicate with [DMA patched HP iLO](https://www.synacktiv.com/posts/exploit/using-your-bmc-as-a-dma-device-plugging-pcileech-to-hpe-ilo-4.html). Thanks to [Synacktiv](https://www.synacktiv.com) for the contribution and the awesome research!