Skip to content

Device_Remote

Ulf Frisk edited this page Oct 11, 2024 · 6 revisions

Remote Memory Acquisition

The LeechCore library supports connecting to a remote LeechAgent and then read and write memory by any of the supported acquisition methods.

Facts in short:

  • Is supported on 32-bit and 64-bit Windows.
  • Acquires memory in read-only or read/write mode - depending on remote acquisition method.
  • Acquired memory is assumed to be static or **volatile ** - depending on remote acquisition method.
  • Have additional requirements.

The remote functionality allows a LeechCore library to connect to a remote LeechCore library running inside a LeechAgent. All supported memory acquisition methods may be used remotely if the target system supports them and dependencies are met.

The connection takes place over mutually authenticated encrypted RPC secured by kerberos (port tcp/28473 by default. See the LeechAgent installation information. The connection also supports transport over SMB tcp/445.

If not running in an Active Directory domain security including authentication may be disabled by the user by specifying -insecure.

If not running in an Active Directory domain or when targeting a local administrator account a remote connection can be made over RPC using NTLM with a custom password prompt (less secure than the standard, but more secure than -insecure).

Compression of data is not enabled if any of the systems (client or server) is a Windows 7 system. Compression will automatically be disabled due to lack of support.

For more information check out this recent blog entry and this older blog entry.


Connection string:

LeechCore API:

Please specify the file name in LC_CONFIG.szRemote when calling LcCreate. Please note that LC_CONFIG.szDevice should also be specified. The format for LC_CONFIG.szRemoteis rpc://<spn>:<host> where spn denotes the kerberos service principal name SPN of the user running the remote LeechAgent (or insecure).

PCILeech / MemProcFS:

Please specify the file name in the -remote option.

Examples:

-remote rpc://insecure:ad-test.ad.example.org

-remote "rpc://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org"

-remote "smb://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org"

-remote rpc://ntlm:standalone-server.example.org:logon


Requirements:

A remote LeechAgent must exist and be running in either service or interactive mode. See individual acquisition methods for any additional requirements. Also consult the guide for the LeechAgent.