Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
ulfr11
committed
Jul 31, 2016
0 parents
commit 6b00fc1
Showing
100 changed files
with
11,494 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio 14 | ||
VisualStudioVersion = 14.0.25123.0 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech", "pcileech\pcileech.vcxproj", "{DFFA1B4C-279B-4356-ADB1-08A6F4795931}" | ||
EndProject | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech_gensig", "pcileech_gensig\pcileech_gensig.vcxproj", "{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}" | ||
EndProject | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech_shellcode", "pcileech_shellcode\pcileech_shellcode.vcxproj", "{5C698F13-6E9F-46F3-95FC-55376A65D8BF}" | ||
EndProject | ||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{41BC2617-A896-4D63-9F5E-ED26C5A613B8}" | ||
ProjectSection(SolutionItems) = preProject | ||
LICENSE = LICENSE | ||
readme.md = readme.md | ||
EndProjectSection | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|x64 = Debug|x64 | ||
Release|x64 = Release|x64 | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Debug|x64.ActiveCfg = Debug|x64 | ||
{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Debug|x64.Build.0 = Debug|x64 | ||
{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Release|x64.ActiveCfg = Release|x64 | ||
{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Release|x64.Build.0 = Release|x64 | ||
{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Debug|x64.ActiveCfg = Debug|x64 | ||
{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Debug|x64.Build.0 = Debug|x64 | ||
{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Release|x64.ActiveCfg = Release|x64 | ||
{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Release|x64.Build.0 = Release|x64 | ||
{5C698F13-6E9F-46F3-95FC-55376A65D8BF}.Debug|x64.ActiveCfg = Release|x64 | ||
{5C698F13-6E9F-46F3-95FC-55376A65D8BF}.Release|x64.ActiveCfg = Release|x64 | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
// consoleredir.c : implementation related 'console redirect' functionality. | ||
// | ||
// (c) Ulf Frisk, 2016 | ||
// Author: Ulf Frisk, pcileech@frizk.net | ||
// | ||
#include "consoleredir.h" | ||
#include "device.h" | ||
#include "util.h" | ||
|
||
// If console redirection is enabled separate buffers are allocated and is as | ||
// follows below: | ||
// page 2: Read/Write - input part (input to targeted console window) | ||
// 0..n = USERSHELL_BUFFER_IO struct | ||
// n+1..0xfff = input buffer | ||
// page 3: Read/Write - output part (output from targeted console window) | ||
// 0..n = USERSHELL_BUFFER_IO struct | ||
// n+1..0xfff = output buffer | ||
#define USERSHELL_BUFFER_IO_MAGIC 0x012651232dfef9521 | ||
#define USERSHELL_BUFFER_IO_SIZE 0x800 | ||
typedef struct tUSERSHELLBUFFERIO { | ||
QWORD qwMagic; | ||
QWORD cbRead; | ||
QWORD cbReadAck; | ||
QWORD qwDebug[10]; | ||
BYTE pb[]; | ||
} USERSHELL_BUFFER_IO, *PUSERSHELL_BUFFER_IO; | ||
|
||
typedef struct tdCONSOLEREDIR_THREADDATA { | ||
PCONFIG pCfg; | ||
PDEVICE_DATA pDeviceData; | ||
PUSERSHELL_BUFFER_IO pInfoIS; | ||
PUSERSHELL_BUFFER_IO pInfoOS; | ||
BYTE pbDataISConsoleBuffer[4096]; | ||
BYTE pbDataOSConsoleBuffer[4096]; | ||
} CONSOLEREDIR_THREADDATA, *PCONSOLEREDIR_THREADDATA; | ||
|
||
// input buffer to targeted console (outgoing info) | ||
// read from this console and send to targeted console | ||
DWORD ConsoleRedirect_ThreadConsoleInput(PCONSOLEREDIR_THREADDATA pd) | ||
{ | ||
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); | ||
DWORD cbWrite, cbModulo, cbModuloAck; | ||
while(TRUE) { | ||
while(pd->pInfoOS->cbRead == pd->pInfoIS->cbReadAck) { | ||
Sleep(10); | ||
continue; | ||
} | ||
cbModulo = pd->pInfoOS->cbRead % USERSHELL_BUFFER_IO_SIZE; | ||
cbModuloAck = pd->pInfoIS->cbReadAck % USERSHELL_BUFFER_IO_SIZE; | ||
if(cbModuloAck < cbModulo) { | ||
WriteConsoleA(hConsole, pd->pInfoOS->pb + cbModuloAck, cbModulo - cbModuloAck, &cbWrite, NULL); | ||
} | ||
else { | ||
WriteConsoleA(hConsole, pd->pInfoOS->pb + cbModuloAck, USERSHELL_BUFFER_IO_SIZE - cbModuloAck, &cbWrite, NULL); | ||
} | ||
pd->pInfoIS->cbReadAck += cbWrite; | ||
} | ||
} | ||
|
||
DWORD ConsoleRedirect_ThreadConsoleOutput(PCONSOLEREDIR_THREADDATA pd) | ||
{ | ||
HANDLE hConsoleIn = GetStdHandle(STD_INPUT_HANDLE); | ||
DWORD cbRead; | ||
while(TRUE) { | ||
ReadConsoleA(hConsoleIn, pd->pInfoIS->pb + (pd->pInfoIS->cbRead % USERSHELL_BUFFER_IO_SIZE), 1, &cbRead, NULL); | ||
pd->pInfoIS->cbRead += cbRead; | ||
while(pd->pInfoIS->cbRead - pd->pInfoOS->cbReadAck >= USERSHELL_BUFFER_IO_SIZE) { | ||
Sleep(10); | ||
} | ||
} | ||
} | ||
|
||
VOID ActionConsoleRedirect(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _In_ QWORD ConsoleBufferAddr_InputStream, _In_ QWORD ConsoleBufferAddr_OutputStream) | ||
{ | ||
BOOL result; | ||
PCONSOLEREDIR_THREADDATA pd = LocalAlloc(LMEM_ZEROINIT, sizeof(CONSOLEREDIR_THREADDATA)); | ||
if(!pd) { return; } | ||
pd->pCfg = pCfg; | ||
pd->pDeviceData = pDeviceData; | ||
pd->pInfoIS = (PUSERSHELL_BUFFER_IO)pd->pbDataISConsoleBuffer; | ||
pd->pInfoOS = (PUSERSHELL_BUFFER_IO)pd->pbDataOSConsoleBuffer; | ||
// read initial buffer and check validity | ||
Sleep(250); | ||
result = DeviceReadMEM(pDeviceData, ConsoleBufferAddr_OutputStream, pd->pbDataOSConsoleBuffer, 0x1000); | ||
if(pd->pInfoOS->qwMagic != USERSHELL_BUFFER_IO_MAGIC) { | ||
printf("\nCONSOLE_REDIRECT: Error: Adress 0x%016llX does not contain a valid console buffer.\n", ConsoleBufferAddr_OutputStream); | ||
return; | ||
} | ||
// create worker threads | ||
CreateThread(NULL, 0, ConsoleRedirect_ThreadConsoleInput, pd, 0, NULL); | ||
CreateThread(NULL, 0, ConsoleRedirect_ThreadConsoleOutput, pd, 0, NULL); | ||
// buffer syncer | ||
while(TRUE) { | ||
result = DeviceReadMEM(pDeviceData, ConsoleBufferAddr_OutputStream, pd->pbDataOSConsoleBuffer, 0x1000); | ||
if(!result || pd->pInfoOS->qwMagic != USERSHELL_BUFFER_IO_MAGIC) { | ||
printf("\nCONSOLE_REDIRECT: Error: Adress 0x%016llX does not contain a valid console buffer.\n", ConsoleBufferAddr_OutputStream); | ||
return; | ||
} | ||
DeviceWriteMEM(pDeviceData, ConsoleBufferAddr_InputStream, pd->pbDataISConsoleBuffer, 0x1000); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
// consoleredir.h : definitions related to 'console redirect' functionality. | ||
// | ||
// (c) Ulf Frisk, 2016 | ||
// Author: Ulf Frisk, pcileech@frizk.net | ||
// | ||
#ifndef __CONSOLEREDIR_H__ | ||
#define __CONSOLEREDIR_H__ | ||
#include "pcileech.h" | ||
|
||
/* | ||
* Connect to an interactive console at the target system over DMA. This works | ||
* by reading and writing memory buffers on the target system. | ||
* -- pCfg | ||
* -- pDeviceData | ||
* -- ConsoleBufferAddr_InputStream = DMA buffer on target system for input. | ||
* -- ConsoleBufferAddr_OutputStream = DMA buffer on target system for output. | ||
*/ | ||
VOID ActionConsoleRedirect(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _In_ QWORD ConsoleBufferAddr_InputStream, _In_ QWORD ConsoleBufferAddr_OutputStream); | ||
|
||
#endif /* __CONSOLEREDIR_H__ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
// cpuflash.c : implementation related to 8051 CPU and EEPROM flashing. | ||
// | ||
// (c) Ulf Frisk, 2016 | ||
// Author: Ulf Frisk, pcileech@frizk.net | ||
// | ||
#include "cpuflash.h" | ||
#include "device.h" | ||
|
||
VOID ActionFlash(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData) | ||
{ | ||
BOOL result; | ||
printf("Flashing firmware ... \n"); | ||
if(!pCfg->cbIn || pCfg->cbIn > 32768) { | ||
printf("Flash failed: failed to open file or invalid size\n"); | ||
return; | ||
} | ||
if(pCfg->pbIn[0] != 0x5a || *(WORD*)(pCfg->pbIn + 2) > (DWORD)pCfg->cbIn - 1) { | ||
printf("Flash failed: invalid firmware signature or size\n"); | ||
return; | ||
} | ||
result = DeviceFlashEEPROM(pDeviceData, pCfg->pbIn, (DWORD)pCfg->cbIn); | ||
if(!result) { | ||
printf("Flash failed: failed to write firmware to device\n"); | ||
return; | ||
} | ||
printf("SUCCESS!\n"); | ||
} | ||
|
||
VOID Action8051Start(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData) | ||
{ | ||
BOOL result; | ||
printf("Loading 8051 executable and starting ... \n"); | ||
if(!pCfg->cbIn || pCfg->cbIn > 32768) { | ||
printf("8051 startup failed: failed to open file or invalid size\n"); | ||
return; | ||
} | ||
result = Device8051Start(pDeviceData, pCfg->pbIn, (DWORD)pCfg->cbIn); | ||
if(!result) { | ||
printf("8051 startup failed: failed to write executable to device or starting 8051\n"); | ||
return; | ||
} | ||
printf("SUCCESS!\n"); | ||
} | ||
|
||
VOID Action8051Stop(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData) | ||
{ | ||
printf("Stopping 8051 ... \n"); | ||
Device8051Stop(pDeviceData); | ||
printf("SUCCESS!\n"); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
// cpuflash.h : definitions related to 8051 CPU and EEPROM flashing. | ||
// | ||
// (c) Ulf Frisk, 2016 | ||
// Author: Ulf Frisk, pcileech@frizk.net | ||
// | ||
#ifndef __CPUFLASH_H__ | ||
#define __CPUFLASH_H__ | ||
#include "pcileech.h" | ||
|
||
/* | ||
* Flash a new firmware into the onboard memory of the USB3380 card. | ||
* This may be dangerious and the device may stop working after a reflash! | ||
* -- pCfg = The configuration data containing the flash image filename. | ||
* -- pDeviceData | ||
*/ | ||
VOID ActionFlash(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData); | ||
|
||
/* | ||
* Load a program into the 8051 CPU and start executing it. | ||
* -- pCfg = The configuration data containing the program image filename. | ||
* -- pDeviceData | ||
*/ | ||
VOID Action8051Start(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData); | ||
|
||
/* | ||
* Stop the onboard 8051 CPU if its running. | ||
* -- pCfg | ||
* -- pDeviceData | ||
*/ | ||
VOID Action8051Stop(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData); | ||
|
||
#endif /* __CPUFLASH_H__ */ |
Oops, something went wrong.