Blog

Inception and PCILeech

By Nyotron Security Research Team

Inception is another tool in the toolbox for the advanced hacker. This tool, however, allows you to gain incredible capabilities.

Computers are made of various components. A motherboard is used to connect most of them to one another. There exist a few standards to transfer data between these components (component-communication).

The inception tool uses this protocol (SBP-2) to identify itself as a low-level device. The device it identifies as usually utilizes DMA (Direct Memory Access).

The way modern operating systems work is that they try to separate the ACTUAL location of data in memory from some VIRTUAL location. If someone gains direct memory access, they can alter anything in the operating system (given that they know what memory to alter and where).

The reason this tool manages to do what it does is plainly the “trust” relationship between the operating system and SBP-2 devices.

As amazing as this tool may seem initially, it relies on physical access to a machine. Physical access usually isn’t easily obtained and it requires access to a motherboard, or some extension. Think for example, that the only way to a USB port on your laptop would require a screwdriver to open the case. This is how the computer actually works, but in order to make it easier for the users, (not to require a screwdriver and technical knowledge) extensions from the motherboard to the case are made. Similarly, an attacker would require access to a FireWire port on the motherboard, or some extension in the case.

FireWire port on PC:

FireWire port on MacBook Pro:

Direct access memory attacks aren’t new, and tools for such actions already exist and are known to be used in various government agencies. Recently, a sophisticated tool was published (PCILeech), with various capabilities and extensibility. When an attacker gains access to read and write memory directly to RAM, in order to perform actions on the computer, they must know what to change, where and how. This tool aggregates various known techniques to gain hold of the computer. Some of the capabilities are – executing kernel code, uploading and downloading files.

Sources: GitHub, Break & Enter