dma-attack-techniques

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

DMA Attack Techniques

DMA攻击技术

Overview

概述

This skill covers Direct Memory Access (DMA) attack resources from the awesome-game-security collection, focusing on FPGA-based PCIe attacks, pcileech usage, and hardware-level memory access techniques.

本技能涵盖了awesome-game-security集合中的直接内存访问（DMA）攻击资源，重点介绍基于FPGA的PCIe攻击、pcileech的使用以及硬件级内存访问技术。

DMA Fundamentals

DMA基础知识

What is DMA Attack?

什么是DMA攻击？

DMA attacks exploit the ability of PCIe devices to directly access
system memory without CPU involvement. An attacker can:
- Read arbitrary physical memory
- Write to physical memory
- Bypass software-based protections
- Remain invisible to OS-level detection

DMA attacks exploit the ability of PCIe devices to directly access
system memory without CPU involvement. An attacker can:
- Read arbitrary physical memory
- Write to physical memory
- Bypass software-based protections
- Remain invisible to OS-level detection

Hardware Requirements

硬件要求

- FPGA development board (Xilinx/Altera)
- PCIe interface capability
- Sufficient logic resources
- Development environment

- FPGA development board (Xilinx/Altera)
- PCIe interface capability
- Sufficient logic resources
- Development environment

pcileech Framework

pcileech框架

Overview

概述

pcileech is the primary framework for DMA-based memory access:

Open-source memory forensics tool
Supports multiple FPGA boards
Extensive plugin ecosystem
Active development community

pcileech是用于基于DMA的内存访问的主要框架：

开源内存取证工具
支持多款FPGA开发板
丰富的插件生态系统
活跃的开发社区

Supported Hardware

支持的硬件

- Screamer PCIe (Xilinx Artix-7)
- PCIe Squirrel
- AC701 (Xilinx Artix-7)
- SP605 (Xilinx Spartan-6)
- Custom FPGA boards

- Screamer PCIe (Xilinx Artix-7)
- PCIe Squirrel
- AC701 (Xilinx Artix-7)
- SP605 (Xilinx Spartan-6)
- Custom FPGA boards

Basic Usage

基本用法

bash

undefined

bash

undefined

Memory dump

pcileech dump -out memory.raw -min 0 -max 0x200000000

Process listing

pcileech pslist

Read specific address

pcileech read -a 0x12345000 -l 0x1000

Write to address

pcileech write -a 0x12345000 -v 0x41414141

undefined

pcileech write -a 0x12345000 -v 0x41414141

undefined

FPGA Firmware

FPGA固件

Development Tools

开发工具

- Vivado (Xilinx)
- Quartus (Intel/Altera)
- Open-source toolchains

- Vivado (Xilinx)
- Quartus (Intel/Altera)
- Open-source toolchains

Firmware Features

固件特性

- TLP packet generation
- Configuration space emulation
- MSI/MSI-X interrupt handling
- DMA read/write implementation

- TLP packet generation
- Configuration space emulation
- MSI/MSI-X interrupt handling
- DMA read/write implementation

Anti-Detection Features

反检测特性

- Device ID spoofing
- Vendor ID masquerading
- Serial number randomization
- Capability structure emulation

- Device ID spoofing
- Vendor ID masquerading
- Serial number randomization
- Capability structure emulation

Device Emulation

设备仿真

Common Emulation Targets

常见仿真目标

- Network adapters (Intel I210/I226)
- Storage controllers
- USB controllers
- Sound cards

- Network adapters (Intel I210/I226)
- Storage controllers
- USB controllers
- Sound cards

Emulation Requirements

仿真要求

1. Correct PCI configuration space
2. Proper capability structures
3. BAR (Base Address Register) setup
4. Interrupt handling

1. Correct PCI configuration space
2. Proper capability structures
3. BAR (Base Address Register) setup
4. Interrupt handling

Example: Network Adapter Emulation

示例：网络适配器仿真

- Emulate Intel I210 NIC
- Proper device/vendor ID
- PHY register emulation
- Minimal functionality for detection evasion

- Emulate Intel I210 NIC
- Proper device/vendor ID
- PHY register emulation
- Minimal functionality for detection evasion

Memory Access Techniques

内存访问技术

Physical Memory Reading

物理内存读取

// Typical pcileech API usage
HANDLE hDevice;
BYTE buffer[0x1000];

// Read physical memory
pcileech_read_phys(hDevice, physAddr, buffer, sizeof(buffer));

// Typical pcileech API usage
HANDLE hDevice;
BYTE buffer[0x1000];

// Read physical memory
pcileech_read_phys(hDevice, physAddr, buffer, sizeof(buffer));

Virtual Address Translation

虚拟地址转换

// Walk page tables to translate VA to PA
PHYSICAL_ADDRESS TranslateVA(UINT64 cr3, UINT64 virtualAddr) {
    // PML4 -> PDPT -> PD -> PT -> Physical
    UINT64 pml4e = ReadPhys(cr3 + PML4_INDEX(virtualAddr) * 8);
    UINT64 pdpte = ReadPhys(PFN(pml4e) + PDPT_INDEX(virtualAddr) * 8);
    UINT64 pde = ReadPhys(PFN(pdpte) + PD_INDEX(virtualAddr) * 8);
    UINT64 pte = ReadPhys(PFN(pde) + PT_INDEX(virtualAddr) * 8);
    return PFN(pte) + PAGE_OFFSET(virtualAddr);
}

// Walk page tables to translate VA to PA
PHYSICAL_ADDRESS TranslateVA(UINT64 cr3, UINT64 virtualAddr) {
    // PML4 -> PDPT -> PD -> PT -> Physical
    UINT64 pml4e = ReadPhys(cr3 + PML4_INDEX(virtualAddr) * 8);
    UINT64 pdpte = ReadPhys(PFN(pml4e) + PDPT_INDEX(virtualAddr) * 8);
    UINT64 pde = ReadPhys(PFN(pdpte) + PD_INDEX(virtualAddr) * 8);
    UINT64 pte = ReadPhys(PFN(pde) + PT_INDEX(virtualAddr) * 8);
    return PFN(pte) + PAGE_OFFSET(virtualAddr);
}

DTB (Directory Table Base) Finding

DTB（目录表基址）查找

- Scan physical memory for valid CR3 values
- Look for kernel structures
- Use signature scanning
- Validate page table entries

- Scan physical memory for valid CR3 values
- Look for kernel structures
- Use signature scanning
- Validate page table entries

Integration with Tools

与工具的集成

Cheat Engine DMA Plugin

Cheat Engine DMA插件

- CE server for DMA access
- Process memory reading via DMA
- Remote debugging capability

- CE server for DMA access
- Process memory reading via DMA
- Remote debugging capability

ReClass DMA

- Structure reconstruction
- Live memory viewing
- Pointer scanning

- Structure reconstruction
- Live memory viewing
- Pointer scanning

Custom Implementations

自定义实现

- DMA libraries (DMALib)
- Minimal VM libraries
- Game-specific cheats

- DMA libraries (DMALib)
- Minimal VM libraries
- Game-specific cheats

Anti-Cheat Bypass

反作弊绕过

Why DMA Bypasses Anti-Cheat

为何DMA可绕过反作弊

1. No process attachment
2. No suspicious API calls
3. No kernel driver needed
4. No code injection
5. Operates below OS level

1. No process attachment
2. No suspicious API calls
3. No kernel driver needed
4. No code injection
5. Operates below OS level

Limitations

局限性

- Read-only for some implementations
- Timing-based detection possible
- Hardware fingerprinting
- Memory encryption (on newer systems)

- Read-only for some implementations
- Timing-based detection possible
- Hardware fingerprinting
- Memory encryption (on newer systems)

Detection Methods

检测方法

- PCIe device enumeration
- IOMMU/VT-d monitoring
- DMA buffer analysis
- Performance counter anomalies

- PCIe device enumeration
- IOMMU/VT-d monitoring
- DMA buffer analysis
- Performance counter anomalies

Advanced Techniques

高级技术

Wireless DMA

无线DMA

- pcileech-wifi: Wireless card emulation
- Remote memory access
- Extended range operation

- pcileech-wifi: Wireless card emulation
- Remote memory access
- Extended range operation

SMM (System Management Mode)

SMM（系统管理模式）

- Ring -2 execution
- Highest privilege level
- Extremely stealthy
- Complex implementation

- Ring -2 execution
- Highest privilege level
- Extremely stealthy
- Complex implementation

VMD Controller Emulation

VMD控制器仿真

- Virtual Management Device
- Hide behind Intel VMD
- Complex detection evasion

- Virtual Management Device
- Hide behind Intel VMD
- Complex detection evasion

Firmware Development Guide

固件开发指南

Project Structure

项目结构

/firmware
├── src/
│   ├── pcie_core.v       # PCIe core
│   ├── tlp_handler.v     # TLP processing
│   ├── dma_engine.v      # DMA implementation
│   └── config_space.v    # Config emulation
├── constraints/
│   └── board.xdc         # Pin constraints
└── scripts/
    └── build.tcl         # Build script

/firmware
├── src/
│   ├── pcie_core.v       # PCIe core
│   ├── tlp_handler.v     # TLP processing
│   ├── dma_engine.v      # DMA implementation
│   └── config_space.v    # Config emulation
├── constraints/
│   └── board.xdc         # Pin constraints
└── scripts/
    └── build.tcl         # Build script

Key Components

核心组件

verilog

// TLP packet handling
module tlp_handler (
    input wire clk,
    input wire [127:0] rx_data,
    output reg [127:0] tx_data,
    // DMA interface
    output reg [63:0] dma_addr,
    output reg [31:0] dma_data,
    output reg dma_read,
    output reg dma_write
);

verilog

// TLP packet handling
module tlp_handler (
    input wire clk,
    input wire [127:0] rx_data,
    output reg [127:0] tx_data,
    // DMA interface
    output reg [63:0] dma_addr,
    output reg [31:0] dma_data,
    output reg dma_read,
    output reg dma_write
);

Security Considerations

安全注意事项

Ethical Use

伦理使用

- Security research only
- Authorized testing environments
- Responsible disclosure
- Legal compliance

- Security research only
- Authorized testing environments
- Responsible disclosure
- Legal compliance

Risk Awareness

风险意识

- Physical hardware access required
- Potential system instability
- Detection by advanced anti-cheat
- Legal implications

- Physical hardware access required
- Potential system instability
- Detection by advanced anti-cheat
- Legal implications

Resource Organization

资源组织

The README contains:

pcileech and derivatives
FPGA firmware projects
DMA libraries
Integration tools
Device emulation firmware
Anti-detection implementations

本README包含：

pcileech及其衍生工具
FPGA固件项目
DMA库
集成工具
设备仿真固件
反检测实现

Data Source

数据源

Important: This skill provides conceptual guidance and overview information. For detailed information including:

Specific GitHub repository links
Complete project lists with descriptions
Up-to-date tools and resources
Code examples and implementations

Please fetch the complete data from the main repository:

https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md

The main README contains thousands of curated links organized by category. When users ask for specific tools, projects, or implementations, retrieve and reference the appropriate sections from this source.

重要提示：本技能仅提供概念性指导和概述信息。如需详细信息，包括：

具体GitHub仓库链接
带描述的完整项目列表
最新工具和资源
代码示例与实现

请从主仓库获取完整数据：

https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md

主README包含数千个按类别整理的链接。当用户询问特定工具、项目或实现时，请从此源中检索并引用相应章节。