Skip to content

_Remoting

Jump to bottom
Ulf Frisk edited this page Feb 12, 2025 · 10 revisions

MemProcFS Remoting

MemProcFS Remoting allows for efficient remote memory analysis and forensics over the network!

Open source memory forensics at scale is now a real possibility!

MemProcFS Remoting can be run in two modes:

  1. Local File System Mode in which memory is pulled from the remote system over the network to the local system which performs all analysis. This mode is limited by the network capacity.
  2. Remote File System Mode in which all memory analysis takes place on the remote target with a memory bandwith of GigaBytes/Second and only file system accesses are sent over the network. This is the recommended way to run MemProcFS Remoting.

⚠️ Remote File System Mode is only available when connecting to a remote Windows system. It is not supported by remote Linux systems, but the connecting system may be run on any platform.

LeechAgent

MemProcFS Remoting is dependent on the LeechAgent service being installed on the remote computer. The supported connection methods are:

Protocol Network Port Type Authentication OS support Description
smb:// tcp/445 MS-RPC Insecure, Kerberos, NTLM Windows Connect using MS-RPC over SMB to a remote host. Both MemProcFS client and remote LeechAgent must run on Windows.
rpc:// tcp/28473 MS-RPC Insecure, Kerberos, NTLM Windows Connect using MS-RPC to a remote host. Both MemProcFS client and remote LeechAgent must run on Windows.
grpc:// tcp/28474 gRPC Insecure, mTLS (cert) Windows, Linux Connect using gRPC to a remote host. The file libleechgrpc.dll / libleechgrpc.so must exist alongside MemProcFS.

If both the local and remote computer are part of the same Active Directory Domain it's recommended to use MS-RPC, which is the default on Windows. If using MS-RPC authentication is "built-in" using standard Windows credentials, such as the current account (kerberos) or NTLM. The user connecting must be an Administrator on the remote computer and run MemProcFS from an elevated command prompt locally. Only connections from administrators are allowed due to security reasons!

It's also possible to use gRPC. gRPC is not enabled by default on the Windows LeechAgent. gRPC would be the primary choice when either connecting to a remote Linux-based LeechAgent or connecting to a Windows-based LeechAgent from Linux. gRPC requires the file libleechgrpc.dll (Windows) or libleechgrpc.so (Linux) which should be put alongside MemProcFS. It does not come pre-packaged in the default MemProcFS download, but it is found in the LeechAgent releases.

For information about how to install LeechAgent see the LeechAgent Install Wiki

Command Line arguments:

-remotefs

Used in conjunction with the -remote command line option. Force the memory analysis to be performed on the remote computer instead of on the local computer. Files (and not memory) are retrieved from the remote computer. It is recommended to add the -remotefs parameter to perform the memory analysis on the remote computer - maximizing performance and minimizing network load. -remotefs is only available if the remote LeechAgent runs on Windows.

-remote

Specified the protocol, authentication mechanism and the remote host (running the LeechAgent) to connect to. All connections will be encrypted and compressed.

<protocol>://<authentication>:<hostname>:<options>

<protocol>

Protocol Connection mechanism to use
smb Connect over SMB named pipe over port tcp/445 using MS-RPC
rpc Connect over RPC port tcp/28473 (which must be open in firewalls) using MS-RPC
grpc Connect using gRPC mTLS over port tcp/28474 (which must be open in firewalls) using gRPC

<authentication>

Server authentication to use.

MS-RPC - i.e. smb and rpc

<kerberos-spn> - connect using Kerberos by specifying the Service Principal Name of the remote user running the LeechAgent. In the service mode this would be the remote computer account. If a computer is named COMPUTER001 in the CONTOSO.COM Active Directory domain this would be [email protected].

ntlm - connect using NTLMv2. This is acceptable but a bit less secure than Kerberos since no mutual authentication takes place.

insecure - connect using no authentication. This is very insecure. LeechAgent does not allow this by default, but it may be optionally allowed only when LeechAgent is running in interactive mode (not as a service).

gRPC

When gRPC is used the value is the remote server certificate common name (CN). Often this is the same as the remote host name and then it can be left blank. (blank) - Use same as . <remote-cert-cn> - Enforce remote server cert CN regardless of which is specified. This may be useful if the remote cert is broken and/or when connecting to an IP-address directly.

<hostname>

The remote host name or IP address.

<options>

This parameter is optional. Comma-separated list of options. Options differ between MS-RPC and gRPC.

Option Protocol Description
nocompress smb, rpc, grpc Don't compress traffic over the network (otherwise default).
port= rpc, grpc Connect using a non-standard tcp port.
logon smb, rpc Don't use current user-credentials. Ask the user for credentials in a Windows credential prompt. Useful when connecting using a remote local account using NTLM.
user= smb, rpc Specify the username. Useful when connecting using a remote local account using NTLM.
password= smb, rpc Specify the password. Use together with user option.
server-cert= grpc File path to remote TLS certificate of the gRPC LeechAgent, or its CA certificate.
client-cert-p12= grpc File path to the .p12 / .pfx file containing the client certificate used for gRPC mTLS authentication.
client-cert-p12-password= grpc Password to the .p12 / .pfx file specified in the client-cert-p12= option.

Example: Install LeechAgent on a remote computer and perform MemProcFS forensics on remote computer at GigaBytes/Second:

  1. Prerequisites
  • The local user is an administrator on the remote computer.
  • The local user have network access to the remote computer C$ drive over SMB - tcp/445
  1. LeechAgent zip is downloaded from the LeechCore releases section and unzipped.
  2. Install LeechAgent as a service on the remote computer: leechagent.exe -remoteinstall infectedcomputer.evilcorp.evil. In this example the remote computer is named infectedcomputer and is part of the evilcorp.evil domain.
  3. Connect with MemProcFS performing remote memory forensics utilizing the WinPMEM driver accessing memory at GBs/s. Connect over SMB named pipe tcp/445. Perform mutual authentication verifying the remote computers computer account (LeechAgent service is running as SYSTEM on the remote computer) using Kerberos.

memprocfs.exe -device pmem -remote smb://[email protected]:infectedcomputer.evilcorp.evil -remotefs -forensic 1

Example: Connect to a remote computer using MS-RPC and NTLM, memory analysis on local computer:

  1. Prerequisites
  • The remote computer allows connections to RPC- tcp/28473.
  • LeechAgent is already installed as a service (running as SYSTEM) on the remote computer.
  1. Connect with MemProcFS performing remote memory analysis of the remote computer on the local computer (pulling all memory over the network). Connect over RPC tcp/28473. Use current users NTLM credentials to connect.

memprocfs.exe -device pmem -remote rpc://ntlm:remotecomputer.contoso.com

Example: Connect to a non-domain joined computer using MS-RPC and NTLM, memory analysis on remote computer:

  1. Prerequisites
  • The remote computer allows connections to SMB - tcp/445.
  • LeechAgent is already installed as a service (running as SYSTEM) on the remote computer.
  1. Connect with MemProcFS performing remote memory forensics utilizing the WinPMEM driver accessing memory at GBs/s. Connect over SMB named pipe tcp/445. Use NTLM and ask for credentials for remote local administrator account.

memprocfs.exe -device pmem -remote smb://ntlm:192.168.1.35:logon -remotefs -forensic 1

Example: Connect to a fpga device on a remote Linux (or Windows) computer running the LeechAgent in gRPC mTLS mode.

  1. Prerequisites
  • The remote computer allows connections to gRPC - tcp/28474.
  • LeechAgent is already installed and started provisioned with a server TLS certificate as well as a CA-certificate of the trusted mTLS clients.
  • The file libleechgrpc.dll is added to the MemProcFS directory. Download it from the libleechgrpc repository.
  1. Connect with MemProcFS performing remote memory forensics utilizing the FPGA driver accessing memory. The server certificate CN is mygrpchost. Connect over gRPC mTLS.

memprocfs.exe -device fpga -remote grpc://mygrpchost:192.168.1.35:server-cert=serverca.cer,client-cert-p12=mtls-client.p12,client-cert-p12-password=test

Example: Connect to a fpga device on a remote Linux (or Windows) computer running the LeechAgent in gRPC INSECURE mode.

  1. Prerequisites
  • The remote computer allows connections to gRPC - tcp/28474.
  • The file libleechgrpc.dll is added to the MemProcFS directory. Download it from the libleechgrpc repository.
  1. Connect with MemProcFS performing remote memory forensics utilizing the FPGA driver accessing memory.

memprocfs.exe -device fpga -remote grpc://insecure:192.168.1.35

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally