-
-
Notifications
You must be signed in to change notification settings - Fork 106
Home
Welcome to the Wiki and Guide for the LeechCore library and the LeechService remote memory acquisition service! In addition to this guide please check out the project README for general information.
For individual guide items please have a look at the sidebar to the right.
The LeechCore library is a physical memory acquisition library used by other applications such as The Memory Process File System. The LeechCore library exists for Windows as a .dll and for Linux as a .so. Some features such as the remote connection capability as well as the DumpIt/WinPMEM/Hyper-V Saved State functionality only exists in the Windows version of the library - while other functionality such as File/USB3380/FPGA/iLO exists in both versions of the library.
The LeechCore library does not exist as a stand-alone component. The LeechCore is only meant to be included in other applications. The supported devices and their connection options are however documented in this wiki.
A separate LeechService application exists for Windows.
The service exposes the LeechCore library API via a remote RPC connection secured by mutually authenticated Kerberos (if running in an Active Directory environment). It is also possible to optionally run the LeechService in an insecure unauthenticated mode.
Start the LeechService in either interactive mode or in service mode to allow for remote users of the LeechCore library to connect to the LeechService and use any of the supported memory acquisition methods transparently and remotely.
Components using the LeechCore library - such as The Memory Process File System is working fairly well even over low-bandwidth high-latency (up to 100ms).
Software based memory acquisition methods:
Please find a summary of the supported software based memory acquisition methods listed below. Please note that the LeechService only provides a network connection to a remote LeechCore library. It's possible to use both hardware and software based memory acquisition once connected.
| Device | Type | Volatile | Write | Linux Support |
|---|---|---|---|---|
| RAW physical memory dump | File | No | No | Yes |
| Full Microsoft Crash Dump | File | No | No | Yes |
| Hyper-V Saved State | File | No | No | No |
| TotalMeltdown | CVE-2018-1038 | Yes | Yes | No |
| DumpIt /LIVEKD | Live Memory | Yes | No | No |
| WinPMEM | Live Memory | Yes | No | No |
| LeechService* | Remote | No |
Hardware based memory acquisition methods:
Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however sports a slight performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows.
| Device | Type | Interface | Speed | 64-bit memory access | PCIe TLP access |
|---|---|---|---|---|---|
| AC701/FT601 | FPGA | USB3 | 150MB/s | Yes | Yes |
| PCIeScreamer | FPGA | USB3 | 100MB/s | Yes | Yes |
| SP605/FT601 | FPGA | USB3 | 75MB/s | Yes | Yes |
| SP605/TCP | FPGA | TCP/IP | 100kB/s | Yes | Yes |
| USB3380-EVB | USB3380 | USB3 | 150MB/s | No | No |
| PP3380 | USB3380 | USB3 | 150MB/s | No | No |
| DMA patched HP iLO | TCP/IP | TCP | 1MB/s | Yes | No |
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖