Skip to content
/ ZombieLoadExample Public

Proof-of-Concept of the ZombieLoad-Attack for a demonstration on Intel's i7-7700k using Windows 10 Pro

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AndrikSeeger/ZombieLoadExample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

34 Commits
attacker
attacker
Β 
Β 
victim
victim
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ§Ÿβ€β™‚οΈ ZombieLoad PoC

This repository contains two applications to demonstrate the ZombieLoad Hack as an example of Microarchitectural Data Sampling (MDS).

For technical information about the exploited bug, refer to the paper:

πŸ“„ ZombieLoad: Cross-Privilege-Boundary Data Sampling by Schwarz, Lipp, Moghimi, Van Bulck, Stecklina, Prescher, and Gruss

πŸ§ͺ Proof of Concept (PoC)

This repository contains a Proof of Concept attack showing ZombieLoad on Windows 10. It also includes a victim application to test the leakage in various scenarios.

🧠 This demo was tested with an Intel Core i7-7700k, but it should work on any Windows 10 system with a modern Intel Core or Xeon CPU (2010 or newer).

⚑ For best results, use a fast CPU that supports Intel TSX (e.g. most i7-5xxx, i7-6xxx, or i7-7xxx).

πŸ› οΈ Building

The PoCs only require MinGW-w64 to compile. Building the attacker or victim is as simple as running:

make

in the respective application folder.

πŸ“¦ Alternatively, you can try out the precompiled executables in the v1.0 release.

▢️ Run

πŸ•΅οΈ Attacker Application

This variant does not require special CPU features or privileges. Run the attacker on the first hyperthread (affinity mask: 0b1):

start /affinity 1 .\leak.exe

πŸ•‘ It may take a while until the leakage starts. Launching memory-intensive apps (e.g., a browser) can help reduce this delay.

🎯 Victim Application

Run the victim on the same physical core, but a different hyperthread (mask: 0b10000):

start /affinity 16 .\secret.exe

You can also pass a secret letter as a parameter:

start /affinity 16 .\secret.exe M

By default, the secret letter is 'A'. As soon as the victim starts, the attacker should show a clear signal β€” the bar for the leaked letter will grow.

πŸ†˜ Help

🧩 How do I know which core IDs are hyperthreads?

Use the Coreinfo tool from Windows Sysinternals. The core count for affinity masks starts at 0b1.

πŸ’» Can I run the PoC in a virtual machine?

Yes β€” it works in VMs, though it may perform worse due to virtualization overhead.

πŸ€” It just doesn't work on my computer β€” what can I do?

There are many possible causes. Try the following tips:

  • πŸ”‹ Make sure your CPU frequency is at maximum and that frequency scaling is disabled
  • πŸ”Œ If on a laptop, plug it in for maximum performance
  • 🎯 Pin the attacker and victim to specific cores (e.g. with taskset) β€” both must be on the same physical core
  • πŸŒ€ Try changing system load β€” more or less background activity can make a difference
  • πŸ”„ Restart the demos β€” or even your computer. After standby, timing issues can occur on some systems.

About

Proof-of-Concept of the ZombieLoad-Attack for a demonstration on Intel's i7-7700k using Windows 10 Pro

Topics

intel hardware-hacking privilege-escalation-exploits

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages