-
-
Notifications
You must be signed in to change notification settings - Fork 413
_Remoting
⚠️ MemProcFS Remoting and LeechAgent is only available on Windows. It is not possible to either install nor connect to a remote system from Linux.
MemProcFS Remoting allows for extremely efficient remote memory analysis and forensics over the network!
Open source memory forensics at scale in corporate active-directory settings are now a real possibility!
MemProcFS Remoting can be run in two different modes:
- Remote File System Mode in which all memory analysis takes place on the remote target with a memory bandwith of GigaBytes/Second and only file system accesses are sent over the network. This is the recommended way to run MemProcFS Remoting.
- Local File System Mode in which memory is pulled from the remote system over the network to the local system which performs all analysis. This is more network intense than the Remote File System Mode. This mode is limited by the network capacity.
MemProcFS Remoting is dependent on the LeechAgent service being installed on the remote computer. If both the local and remote computer are part of the same Active Directory Domain and some minimal firewall openings (SMB - tcp/445
) is open it's possible to remotely install the LeechAgent as a service on the remote computer. Once the LeechAgent service is installed it's possible to use it for MemProcFS remoting. For information about how to install LeechAgent see the LeechAgent Install Wiki
The user connecting must be an Administrator on the remote computer and run MemProcFS from an elevated command prompt locally. Only connections from administrators are allowed due to security reasons!
Used in conjunction with the -remote
command line option (see above). Force the memory analysis to be performed on the remote computer instead of on the local computer. Files (and not memory) are retrieved from the remote computer. It is recommended to add the -remotefs
parameter to perform the memory analysis on the remote computer - maximizing performance and minimizing network load.
Specified the protocol, authentication mechanism and the remote host (running the LeechAgent) to connect to. All connections will be encrypted and compressed.
<protocol>://<authentication>:<hostname>
:<logon>
Protocol / connection mechanism to use:
smb
- connect over SMB named pipe over port tcp/445
.
rpc
- connect over RPC port tcp/28473
(which must be open in firewalls).
Authentication mechanism to use:
<kerberos-spn>
- connect using Kerberos by specifying the Service Principal Name of the remote user running the LeechAgent. In the service mode this would be the remote computer account. If a computer is named COMPUTER001
in the CONTOSO.COM
Active Directory domain this would be COMPUTER001$@CONTOSO.COM
.
ntlm
- connect using NTLMv2. This is acceptable but a bit less secure than Kerberos since no mutual authentication takes place.
insecure
- connect using no authentication. This is very insecure. LeechAgent does not allow this by default, but it may be optionally allowed only when LeechAgent is running in interactive mode (not as a service).
The remote host name or IP address.
This parameter is optional and not recommended. Only use logon
when connecting to a local computer administrator account using NTLM in non domain joined computers.
Example: Install LeechAgent on a remote computer and perform MemProcFS forensics on remote computer at GigaBytes/Second:
- Prerequisites
- The local user is an administrator on the remote computer.
- The local user have network access to the remote computer C$ drive over SMB -
tcp/445
- LeechAgent zip is downloaded from the LeechCore releases section and unzipped.
- Install LeechAgent as a service on the remote computer:
leechagent.exe -remoteinstall infectedcomputer.evilcorp.evil
. In this example the remote computer is named infectedcomputer and is part of the evilcorp.evil domain. - Connect with MemProcFS performing remote memory forensics utilizing the WinPMEM driver accessing memory at GBs/s. Connect over SMB named pipe
tcp/445
. Perform mutual authentication verifying the remote computers computer account (LeechAgent service is running as SYSTEM on the remote computer) using Kerberos.
memprocfs.exe -device pmem -remote smb://infectedcompute$@evilcorp.evil:infectedcomputer.evilcorp.evil -remotefs -forensic 1
- Prerequisites
- The remote computer allows connections to RPC-
tcp/28473
. - LeechAgent is already installed as a service (running as SYSTEM) on the remote computer.
- Connect with MemProcFS performing remote memory analysis of the remote computer on the local computer (pulling all memory over the network). Connect over RPC
tcp/28473
. Use current users NTLM credentials to connect.
memprocfs.exe -device pmem -remote rpc://ntlm:remotecomputer.contoso.com
- Prerequisites
- The remote computer allows connections to SMB -
tcp/445
. - LeechAgent is already installed as a service (running as SYSTEM) on the remote computer.
- Connect with MemProcFS performing remote memory forensics utilizing the WinPMEM driver accessing memory at GBs/s. Connect over SMB named pipe
tcp/445
. Use NTLM and ask for credentials for remote local administrator account.
memprocfs.exe -device pmem -remote smb://ntlm:192.168.1.35:logon -remotefs -forensic 1
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖