LeechAgent
The LeechAgent is an agent running, on a remote computer, as a service (or ordinary program) that opens up a listener on port tcp/28473. The LeechAgent exists for 32-bit and 64-bit Windows. The LeechAgent currently does not exist for non-Windows platforms.
The LeechAgent accepts, by default, incoming connections from clients whose users are administrators on the system running the LeechAgent. Mutual authentication and encryption are provided, by default, by active directory based kerberos - making the user experience completely seamless.
An introduction demo is available on YouTube:
The LeechAgent allows for up to ten (10) simultaneous client connections from applications such as PCILeech and MemProcFS. Connected applications may access and dump physical memory of the system running the LeechAgent. It's possible for the LeechAgent to acquire memory using any acquisition method supported by the LeechCore library. The image below shows MemProcFS instance connected to a remotely installed LeechAgent.
Execute MemProcFS memory analysis scripts coded in Python on the remote LeechAgent host. Python analysis scripts submitted by remote clients are able to make use of the full MemProcFS Python API and the local physical memory of the host running the LeechAgent. This works extremely well for fast and efficient physical memory analysis even over high-latency low-bandwidth connections. The scripts will be executed in-memory and will never touch disk on the remote system. The remote scripting capabilities currently exists only for the 64-bit version of the LeechAgent. The pictures below show a sample analysis script submitted to the remote LeechAgent for analysis.
The video below shows the process of installing the LeechAgent to a remote computer, connecting to it with MemProcFS to analyze and dump the memory while also connecting to it in parallel with PCILecch to submit a Python memory analysis script that make use of the MemProcFS API to analyze the remote CPU page tables for rwx-sections. Click on the video to open a higher-quality version on Youtube.
Please also see the blog entries below for more information about the LeechAgent and the earlier, less capable, version of named the LeechService.
- Blog: Introducing the LeechAgent
- Blog: Remote LIVE Memory Analysis with The Memory Process File System v2.0
The default recommended way of running the LeechAgent is as a service. For information about installing it please visit the wiki entry about Installing the LeechAgent.
It's possible to run the LeechAgent in interactive non-service mode. If running in interactive mode the -insecure flag may optionally be specified.
Interactive mode is useful for testing, or if the DumpIt memory acquisition method is used to acquire live memory.
If running in insecure mode no authentication takes place - anyone with network access to the
port tcp/28473 may connect and start acquiring memory. Also the connection between the client and server won't be encrypted over the network. Furthermore, no logging to the event log will take place. Insecure mode may be useful for testing or if the target computer is not a part of an active directory domain.
If using DumpIt or WinPMEM to acquire memory remember to start the application as elevated administrator.
Start the LeechAgent as a stand-alone non-service executable in interactive mode using standard kerberos-secured authentication.
LeechAgent.exe -interactive
Start the LeechAgent as a stand-along non-service executable in interactive mode insecure (no security) mode - allowing anyone with network access to port tcp/28473 to connect to acquire physical memory and also to execute arbitrary code as the current user.
LeechAgent.exe -interactive -insecure
Start the LeechAgent in interactive no-security mode using DumpIt - allowing anyone with network access to port tcp/28473 to connect to acquire physical memory and also to execute arbitrary code as the current user.
DumpIt.exe /LIVEKD /A LeechAgent.exe /C "-interactive -insecure"