DMA Attacks Intermediate - 4 days - 4200€ HT
Description
Physical access to a machine opens up significant attack vectors, particularly through Direct Memory Access (DMA). These attacks allow an external hardware component to read and write directly to the target's RAM, bypassing the operating system, authentication, and traditional software protections.
During this four-day training course, participants will explore the hardware architecture of modern systems and learn how to leverage connectivity options (PCI Express, M.2, etc.) to perform memory dumps. The course covers the use of specific hardware tools (PCIScreamer, USB3380) and the PCILeech framework for injecting code or bypassing authentication on the fly. A significant portion of the training is also dedicated to reverse engineering for writing custom signatures, as well as forensic analysis of memory dumps using Volatility.
-
4 days (28 hours)
-
Handling of specific interception equipment (PCIScreamer, USB3380)
-
Balanced allocation of time between offensive exploitation (PCILeech) and memory analysis (Volatility)
-
Practical exercises on Windows and Linux targets
Objectives
- Understand hardware architecture and DMA access concepts
- Connect and use hardware capture equipment (PCIScreamer, USB3380)
- Bypass system security mechanisms (BIOS, IOMMU) and local authentication methods
- Use PCILeech to manipulate RAM and inject shellcodes
- Reverse engineer authentication mechanisms to write custom signatures
- Perform advanced forensic analysis on memory dumps using Volatility
Public and prerequisites
This training is designed for technical professionals seeking to understand and exploit hardware vulnerabilities related to physical memory access.
-
Pentesters / Red Teamers
-
Security researchers and low-level developers
-
Forensic and Incident Response (CSIRT) analysts
A solid understanding of operating system architecture (Windows/Linux) and the command line is required. Basic knowledge of reverse engineering (using IDA or Ghidra) and memory analysis is a significant advantage for the practical exercises.
Content
Day 1
Computer architecture: peripherals, data buses, key components, connectors, RAM types (frequencies, dual/triple channel). DMA concepts: history, access types, modern attack vectors, hotplug connectors. Security mechanisms: BIOS/OS level protections, security presence detection (IOMMU). Protection bypass: BIOS password erasure (clear CMOS, manufacturer passwords, brute force), IOMMU-related vulnerabilities. Capture hardware: presentation of the PCIScreamer and USB3380, connection methodology depending on the target, handling hardware issues (interference, compatibility). Labs: performing physical dumps of RAM via PCI Express, M.2, and USB3380.
Day 2
PCILeech: Internal workings and use of the tool. Exploitation: RAM extraction, memory manipulation, on-the-fly authentication bypass, kernel shellcode injection. Reverse engineering (Signatures): Presentation of Windows and Linux authentication mechanisms, identification of structures to modify. Analysis tools: Introduction to IDA/Ghidra for analyzing and patching these mechanisms. Labs: Writing a custom signature file (.sig) to successfully bypass authentication on a target Linux system.
Day 3
Post-exploitation techniques: dumping physical disks from administrator access (Linux/Windows), technical limitations. RAM analysis: introduction to the Volatility framework (v2 vs. v3), installation, internal workings, generating profiles/images for different operating systems. Reconnaissance: methods to determine the Linux version and type (via network, via a memory dump). Labs: performing a disk dump from Linux and Windows access, analyzing a Windows RAM dump with Volatility (tracking and searching for malicious processes).
Day 4
Volatility In-Depth: pedagogical refresher, review of the complex generation of image files (OS profiles). Investigation Labs: complete OS fingerprinting (network and memory), creation from scratch of a Volatility signature file for a specific Linux target, in-depth analysis of a Linux RAM dump to identify a persistent malicious process. Conclusion: summary of key points and attack vectors. Evolution of Defenses: points to monitor from vendors, deployment of DMA Guard, native integration and systematization of IOMMU in Windows.
All the details regarding how the training is conducted are described on this page.