Skip to content

Device_Remote

Jump to bottom
Ulf Frisk edited this page Oct 11, 2024 · 6 revisions

Remote Memory Acquisition

The LeechCore library supports connecting to a remote LeechAgent and then read and write memory by any of the supported acquisition methods.

Facts in short:

  • Is supported on 32-bit and 64-bit Windows.
  • Acquires memory in read-only or read/write mode - depending on remote acquisition method.
  • Acquired memory is assumed to be static or **volatile ** - depending on remote acquisition method.
  • Have additional requirements.

The remote functionality allows a LeechCore library to connect to a remote LeechCore library running inside a LeechAgent. All supported memory acquisition methods may be used remotely if the target system supports them and dependencies are met.

The connection takes place over mutually authenticated encrypted RPC secured by kerberos (port tcp/28473 by default. See the LeechAgent installation information. The connection also supports transport over SMB tcp/445.

If not running in an Active Directory domain security including authentication may be disabled by the user by specifying -insecure.

If not running in an Active Directory domain or when targeting a local administrator account a remote connection can be made over RPC using NTLM with a custom password prompt (less secure than the standard, but more secure than -insecure).

Compression of data is not enabled if any of the systems (client or server) is a Windows 7 system. Compression will automatically be disabled due to lack of support.

For more information check out this recent blog entry and this older blog entry.

Connection string:

LeechCore API:

Please specify the file name in LC_CONFIG.szRemote when calling LcCreate. Please note that LC_CONFIG.szDevice should also be specified. The format for LC_CONFIG.szRemoteis rpc://<spn>:<host> where spn denotes the kerberos service principal name SPN of the user running the remote LeechAgent (or insecure).

PCILeech / MemProcFS:

Please specify the file name in the -remote option.

Examples:

-remote rpc://insecure:ad-test.ad.example.org

-remote "rpc://[email protected]:ad-test.ad.example.org"

-remote "smb://[email protected]:ad-test.ad.example.org"

-remote rpc://ntlm:standalone-server.example.org:logon

Requirements:

A remote LeechAgent must exist and be running in either service or interactive mode. See individual acquisition methods for any additional requirements. Also consult the guide for the LeechAgent.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Acquisition Methods

LeechAgent

Development

Clone this wiki locally