2016
PCILeech release by Frisk.
A DMA attack framework enabling external devices to access memory over PCIe. Unlocking DMA attack to the mass. https://github.com/ufrisk/pcileech
PCILeech release by Frisk.
A DMA attack framework enabling external devices to access memory over PCIe. Unlocking DMA attack to the mass. https://github.com/ufrisk/pcileech
BattleEye (BE) implements master abort detection and detects stock pcileech-fpga via VID/PID.
Issue: Led to false positives, as legitimate hardware configurations like a Artix7 capture card or a XHCI could trigger false positives and detections.
Easy Anti-Cheat (EAC) starts signing Xilinx7 configuration space (blocks 40 and 60) and detects stock pcileech-fpga via VID/PID.
Issue: Bypassed by slightly shifting the PCIe capability pointer, allowing cheaters to evade detection mechanism.
Issue 2: Legal Artix7 devices could cause false positives.
FACEIT detects stock pcileech-fpga via VID/PID and configuration space heuristics.
Issue: Easily bypassed by changing VID/PID values, a straightforward modification.
FACEIT detect invisible firmware.
Issue: Easily bypassed if you null shadow cfg space aswell.
pcileech-multimedia-hd is undetected and abused at pro level.
Issue: Shared with German, causing file to be spread and leaked in small circle. Fuck asdf144. Abusing false positive, donor device using a Xilinx 7 chipset and sharing same configuration space as pcileech-fpga
Valorant Vanguard (VGK) attempts to prevent devices without drivers by flipping Bus Master Enable (BME).
Issue: Bypassed by installing a driver or dummy driver to satisfy the requirement.
VGK implements is_interrupted mechanism.
Issue: Bypassed by disabling/removing MSI capability.
Issue 2: People figured out how to send interrupts eventually after reading Xilinx docs, though 3 years later.
Issue 3: Could potentially eventually break the way they enumerate devices with configuration space tricks.
FACEIT prevents all Xilinx7 devices (except x4 lane ones).
Issue: Easily evaded for people who got control of configuration space back days, but most of people were not educated enough.
VGK prevents invisible firmware.
It evaded the enumeration.
Latency check by FACEIT.
Issue: Easily evaded for people who got control of configuration space back days, but most of people were not educated enough.
VGK disables and prevents Elgato MK2 Capture card due to excesses by some players.
(Hi) – High impact on legitimate users due to DMA abuses.
drvscan release by ekknod.
Before this point, detection against DMA was almost non-existent. And the firmware market was a pure meme and full of scammers : apekros was selling nulled configuration space as full emulation for half a salary. https://www.unknowncheats.me/forum/anti-cheat-bypass/623940-nulled-config-space-pcileech-fpga-firmware-hot-vgk-bypass.html
ACE detects FPGA firmware spoofed as x16 PCIe device but upper lanes negotiated at x1.
Issue: Can happen with some real devices made in 1990 that don't follow the specs.
pcileech-wifi source code release, unlocking knowledge to the mass (PIO, emulation etc...).
Public release democratizing device "emulation", ekknod released and showed how to use PIO for BAR support.
FACEIT prevents all Xilinx7 devices (including original capture cards like Avermedia GC573) due to some excess at top level by dumb users.
Prevention caused by dumb user who plugged HWID banned wifi card from the past, leading him to 1) get inspected more deeply. 2) get banned after years undetected
pcileech-multimedia (spartan6)
Firmware file released somehwere by ekknod and abused massively on faceit for around 4-5 months without causing ANY BANS.
FACEIT prevents device by VID/PID, totally blocking original device (in use)
Faceit prevent public pcileech-wifi project, by blacklisting the VID/PID
People just noticed the is_interrupted mechanism from VGK.
Honestly, good work.
VGK starts experimenting A/B tests (e.g., is WiFi connected, is XHCI have child, is NIC connected, etc. for each device types).
Issue: Experimental, can just change class code/device type to avoid.
VGK detecting most of configuration space tricks (ILLEGAL FW).
Rogue multifunction device, rogue bridge device, breathing fw etc.. used to evade enumeration.
FACEIT prevents public firmware via VID/PID (e.g., pcileech wifi v2 to v161, bypassing FACEIT 161 times, requiring manual blocks for each VID/PID).
An attempt to block public DMA firmware, but cheaters iterated VID/PID changes rapidly, forcing repeated manual interventions.
ekknod multimedia source code release, based on spartan6 donor device, used to bypass FACEIT publicly, unlocking knowledge to the mass.
Project was private before. Open-source release enabling public bypasses and educating the community on DMA and the scam market with marketing warrior. Showing how a 1:1 device should be.
Shadow configuration space detection mechanism by EAC/ACE.
People started implementing correct read/write configuration space behaviors or disabling shadow configuration space to bypass this specific mechanism.
Another shadow configuration space detection mechanism by EAC/ACE (gummy bear on steroid).
Ithalove fw on top at this time. JAJAJAJA godbin
VGK continue experimenting massive A/B tests, disabling and preventing nvme without disk init.
Everdox have more tricks in his pocket than you think.
ACE starting attack BAR from public firmware, gathering massive amount of data.
R/W behavior in BAR, special detection against public firmware
VGK/EAC detects FPGA spoofed as XHCI with sub device, with massive A/B functionality tests.
Uses randomized A/B testing to identify spoofed USB controllers for DMA cheats.
FACEIT loading custom IOMMU configuration at >4k elo
Who gonna pentest at this level anyways ?
Ditto release - Pcie emulator
Nvidia USB HUB firmware with child device
VGK detect ditto causing massive banwawe
Huh
EAC detect ditto causing massive banwawe
Huh
FACEIT detect ditto causing 6 bans
Huh
VGK/EAC detects FPGA spoofed as WiFi card with fake packet, with massive A/B functionality tests.
Employs fake packets and A/B testing to expose spoofed WiFi hardware used in DMA.
VGK/EAC detects FPGA spoofed as NIC with fake packet, with massive A/B functionality tests.
Targets spoofed network interface cards via fake packets and randomized testing.
VGK/EAC detects FPGA spoofed as audio device with fake sub-audio and codec emulation, with massive A/B functionality tests.
Detects spoofed audio devices through fake data packets and A/B testing methodologies.
Hybrid Pcie Trace Tools / introduction
MITM device - - passthought - compatible pcileech
Heino2 introduction to the market
MITM device - passthought
VGK/ACE prevent and detect the NVME VMD trick.
Issue: PXE results in a fully invisible VMD, specific system configuration allowing some bypasses.
EAC prevents invisible firmware.
It evaded the enumeration.
EAC are able to scan under TB4 and prevent Thunderbolt enclosure based attack
It evaded the enumeration.
VGK are able to scan under TB4 and prevent Thunderbolt enclosure based attack
It evaded the enumeration.
EAC/VGK implemented is_current_nic, disabling 2 NIC setups.
Allowing only 1 NIC to work, the one the game use. The second one can be legal and connected, will be prevented safely.
ACE implements proper IOMMU detection mechanism.
Enhanced detection mechanism leverage IOMMU configurations to counter DMA hardware threats. Causing massive banwawe, detecting heino2/hptt usage.
VGK implements honeypotted memory region targeting specific cheats.
Uses decoy memory areas to trap and detect DMA-based cheating attempts, causing paranoia in the cheating scene about what is detected. Causing massive banwawe.
EAC detects FPGA spoofed as capture card, with massive A/B functionality tests.
Detects spoofed capture card device through data packets and A/B testing methodologies.
VGK implements proper IOMMU prevention and detection mechanism.
Strengthens defenses against DMA attacks by enforcing and verifying IOMMU isolation. Able to log any attempts your device are trying and prevent it aswell. Detecting HPTT/heino2 usage.
EAC continue experimenting massive A/B tests, disabling and preventing SATA without disk init and some others.
Included driver swap work arounds.
FACEIT implements IOMMU prevention and detection mechanism.
Aims to block DMA. But causing legit users to BSOD. It's a nice implementation. Detecting HPTT/heino2 usage.
People trying to circumvent IOMMU mechanism with bootkit or hypervisor.
Nulling the whole point of being totally external to the main system..
Getting users to launch potential dangerous, infected and unsigned bootkit, will lead to users credidentials stolens.