ATA-based DMA-attacking PoC tool written in Rust

Overview

atadma-rs

ATA-based DMA-attacking PoC tool written in Rust

Introduction

This PoC is modified from ddma by btbd. Both the CLI-tool and the Windows driver are written in Rust.

Supported Platforms

OS: Any Windows with x64 support. This project does not use new kernel APIs so it should be able to run on any x64 Windows.
The system must have at least one SATA disk.

Build

IMPORTANT: You are required to install the nightly version of Rust toolchain, since WDK for Rust is only available as nightly!

To build the caller program, use the standard way to build a Rust program:

cargo build

To build the driver program, you need the following pre-requisites:

Then start building.

cd atadma-drv
V:\LaunchBuildEnv.bat
make

If this is your first time building the driver, make sure your console is under Administrator privilege. The cargo will have to build the WDK crates for you.

Note that the atadma_drv_fixed.sys is the final driver file you will be using.

Run

Install the driver in Administrator privilege:

sc create atadma type= kernel binPath= <Path to driver file> DisplayName=atadma
sc start atadma

Note that this command does not install the driver permanantly. You need to restart after system reboot. sc start atadma is good enough.

Warning: This program will write to the first 8 sectors of a disk. Hence, if the system crashes while this PoC is in DMA operation, your disk head will be destroyed. ONLY YOU WILL BE RESPONSIBLE FOR POTENTIAL DATA LOSSES!
In other words, YOU MUST AT LEAST BACKUP THE FIRST EIGHT SECTORS OF YOUR DISK!.
For virtual machines, you may simply use snapshots.

Then execute the program. It does not require Administrator privilege and can be placed anywhere.

atadma-rs <command> <address>

To unload the driver:

sc stop atadma
sc delete atadma

The println! macro provided by WDK crate will actually call DbgPrint. Therefore, to see debug outputs on debugger, execute the following command in WinDbg:

ed nt!Kd_DEFAULT_Mask f

If you need to make this setting permanent, you will need to modify debugee's registry:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v "DEFAULT" /t REG_DWORD /d 15 /f

Command

There are four commands:

  • read command can be used to read any kernel virtual address.
  • readphys command can be used to read any physical address.
  • write and writephys are reserved unimplemented commands.

Address

The address must be specified in hexadecimal, case-insensitive, and without 0x prefix.

Theory

This PoC exploits the DMA capability from AHCI controllers by purposefully specifying DMA Flag in ATA_PASS_THROUGH_DIRECT structure to transfer data between disk and data.
Simply put, this PoC will write content into the disk then read from the disk in order to perform the DMA attack.

Writing to protected memory means reading from disk and specify the destination to be the protected memory.
Reading from protected memory means writing to disk and specify the source to be the protected memory.

License

This repository is licensed under the MIT License.

You might also like...
A terminal-based daily task management tool with minimal overhead
A terminal-based daily task management tool with minimal overhead

Arenta A terminal-based daily task management tool with minimal overhead. Demo Features Complete CRUD support of daily tasks with intuitive syntax Vis

Snapshot testing tool for Nix based on haumea [maintainer=@figsoda]
Snapshot testing tool for Nix based on haumea [maintainer=@figsoda]

namaka Snapshot testing tool for Nix based on haumea nix shell github:nix-community/namaka namaka check # run checks namaka review # review pending sn

tool to create a relic export from network packets of a certain turn-based anime game
tool to create a relic export from network packets of a certain turn-based anime game

reliquary-archiver tool to create a relic export from network packets of a certain turn-based anime game json output format is based on the format of

rabe is an Attribute Based Encryption library, written in Rust

Rabe rabe is a rust library implementing several Attribute Based Encryption (ABE) schemes using a modified version of the bn library of zcash (type-3

Ruo is a dictionary-based password cracker written in rust 🦀 .

Ruo is a dictionary-based password cracker written in rust 🦀 . The primary purpose is to crack weak hashes/commonly used passwords.

Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python.
Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python.

Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python. Rusty Hog provides the following bina

Next-generation implementation of Ethereum protocol (
Next-generation implementation of Ethereum protocol ("client") written in Rust, based on Erigon architecture.

🧬 Martinez 🧬 Next-generation implementation of Ethereum protocol ("client") written in Rust, based on Erigon architecture. Why run Martinez? Look at

A fast tool to scan prototype pollution vulnerability written in Rust. 🦀
A fast tool to scan prototype pollution vulnerability written in Rust. 🦀

ppfuzz Prototype Pollution Fuzzer A fast tool to scan prototype pollution vulnerability written in Rust. 🦀 Installation Binary Source Dependencies Us

CLI tool written in Rust which can be used to generate hashes

rustgenhash rustgenhash is a tool to generate hashes on the commandline from stdio. It can be used to generate single or multiple hashes for usage in

Owner
Zero Tang
MS student graduated from Columbia University. Researcher of VM, OS and computer architecture. Founder of Project NoirVisor.
Zero Tang
WIP, POC of node js driver for pulsar backed by rust

WIP not ready at all, POC for node js rurt based pulsar driver pulsar-node-rust-client This project was bootstrapped by create-neon. Installing pulsar

Clever Cloud 6 Aug 10, 2022
Quick poc of the rsync wire protocol in Rust. Supports delta transfer.

Rsync wire protocol in Rust This is a quick poc of the rsync wire protocol in Rust. It supports delta transfer. The code is really a mess right now, a

LightQuantum 4 Feb 18, 2023
EVM compatible chain with NPoS/PoC consensus

Reef Chain Reef chain is written in Rust. A basic familiarity with Rust tooling is required. To learn more about Reef chain, please refer to Documenta

Reef Finance 148 Dec 31, 2022
A framework for creating PoC's for Solana Smart Contracts in a painless and intuitive way

Solana PoC Framework DISCLAIMER: any illegal usage of this framework is heavily discouraged. Most projects on Solana offer a more than generous bug bo

Neodyme 165 Dec 18, 2022
A PoC backbone for NFT Marketplaces on NEAR Protocol

NFT Market Reference Implementation A PoC backbone for NFT Marketplaces on NEAR Protocol. Reference Changelog Changelog Progress: basic purchase of NF

null 9 May 26, 2022
Simple PoC to issue JSON Web Tokens (JWTs) with a canister on the Internet Computer.

JWT Issuer Proof of Concept Overview Simple PoC to issue JSON Web Tokens (JWTs) with a canister on the Internet Computer. It allows the issuance of tw

Dominic Wörner 7 Oct 13, 2022
Wangan Midnight MaxiTune 3DX+ Loader PoC

Required Packages Arch Linux nvidia-cg-toolkit mangohud lib32-glibc lib32-gcc-libs lib32-libx11 lib32-libxcb lib32-libpulse lib32-alsa-lib lib32-libxa

BroGamer 14 Mar 4, 2024
Ethereum key tool - Lightweight CLI tool to deal with ETH keys written in rust

ekt - Etherum Key Tool ekt is a lightweight tool to generate ethereum keys and addresses. Installation Either clone it and run it with cargo or instal

null 5 May 8, 2023
A Secure Capability-Based Runtime for JavaScript Based on Deno

Secure Runtime secure-runtime, as the name implies, is a secure runtime for JavaScript, designed for the multi-tenant serverless environment. It is an

Gigamono 7 Oct 7, 2022
Chargo is a tool for file encryption/decryption. It's based on Argon2 and ChaCha20Poly1305 algorithms.

| Documentation Chargo is a tool for file encryption/decryption with password. It's based on Argon2 and ChaCha20Poly1305 algorithms. From arg2u with ♥

Airat Galiullin 7 Jan 1, 2023