The LeechCore Memory Acquisition Library focuses on Physical Memory Acquisition using various hardware and software based methods.
Use the LeechCore library locally or connect to, over the network, a LeechAgent to acquire physical memory or run commands remotely. The connection is by default compressed and secured with mutually authenticated kerberos - making it ideal in incident response when combined with analysis and live memory capture using Comae DumpIt or WinPMEM - even over high latency low-bandwidth connections!
The LeechCore library is used by PCILeech and The Memory Process File Sys 8000 tem (MemProcFS).
The LeechCore library is supported on 32/64-bit Windows (.dll) and 64-bit Linux (.so). No executable exists for LeechCore - the library is always loaded by other applications using it - such as PCILeech and The Memory Process File System MemProcFS.exe.
For detailed information about individual memory acquisition methods or the LeechCore API please check out the LeechCore wiki.
Please find a summary of the supported software based memory acquisition methods listed below. Please note that the LeechAgent only provides a network connection to a remote LeechCore library. It's possible to use both hardware and software based memory acquisition once connected.
| Device | Type | Volatile | Write | Linux Support | Plugin |
|---|---|---|---|---|---|
| RAW physical memory dump | File | No | No | Yes | No |
| Full Microsoft Crash Dump | File | No | No | Yes | No |
| Full ELF Core Dump | File | No | No | Yes | No |
| VMware memory save file | File | No | No | Yes | No |
| TotalMeltdown | CVE-2018-1038 | Yes | Yes | No | No |
| DumpIt /LIVEKD | Live Memory | Yes | No | No | No |
| WinPMEM | Live Memory | Yes | No | No | No |
| LiveKd | Live Memory | Yes | No | No | No |
| LiveCloudKd | Live Memory | Yes | No | No | Yes |
| Hyper-V Saved State | File | No | No | No | Yes |
| LeechAgent* | Remote | No | No |
Please find a summary of the supported hardware based memory acquisition methods listed below. All hardware based memory acquisition methods are supported on both Windows and Linux. The FPGA based methods however have a performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows due to less optimized drivers.
| Device | Type | Interface | Speed | 64-bit memory access | PCIe TLP access | Plugin |
|---|---|---|---|---|---|---|
| AC701/FT601 | FPGA | USB3 | 150MB/s | Yes | Yes | No |
| ScreamerM2 | FPGA | USB3 | 150MB/s | Yes | Yes | No |
| PCIeScreamer | FPGA | USB3 | 100MB/s | Yes | Yes | No |
| SP605/FT601 | FPGA | USB3 | 75MB/s | Yes | Yes | No |
| NeTV2/UDP | FPGA | UDP | 7MB/s | Yes | Yes | No |
| USB3380-EVB | USB3380 | USB3 | 150MB/s | No | No | No |
| PP3380 | USB3380 | USB3 | 150MB/s | No | No | No |
| SP605/TCP | FPGA | TCP | 100kB/s | Yes | Yes | Yes |
| DMA patched HP iLO | BMC | TCP | 1MB/s | Yes | No | Yes |
The LeechAgent Memory Acquisition and Analysis Agent exists for Windows only. It allows users of the LeechCore library (PCILeech and MemProcFS) to connect to remotely installed LeechAgents over the network. The connection is secured, by default, with mutually authenticated encrypted kerberos.
Once connected physical memory may be acquired over the secure compressed connection. Memory analysis scripts, written in Python, may also be submitted for remote processing by the LeechAgent.
The LeechAgent authenticates all incoming connections against membership in the Local Administrators group. The clients must also authenticate the agent itself against the SPN used by the agent - please check the Application Event Log for information about the SPN and also successful authentication events against the agent.
There is also a possibility to run the LeechAgent in interactive mode (as a normal program). If run in interactive mode a user may also start the LeechAgent in "insecure" mode - which means no authentication or logging at all.
The LeechAgent listens on the port tcp/28473 - please ensure network connectivity for this port in the firewall. Also, if doing live capture ensure that LeechAgent (if running in interactive mode) is started as an administrator.
For more information please check the LeechCore wiki and the blog entry about remote live memory capture with the LeechAgent.
The video below shows the process of installing the LeechAgent to a remote computer, connecting to it with MemProcFS to analyze and dump the memory while also connecting to it in parallel with PCILecch to submit a Python memory analysis script that make use of the MemProcFS API to analyze the remote CPU page tables for rwx-sections. Click on the video to open a higher-quality version on Youtube.
Examples:
Installing the LeechAgent on the local system (run as elevated administrator)'. Please ensure that the LeechAgent.exe is on the local C: drive before installing the agent service. Please also ensure that dependencies such as required .dll and/or .sys files (and optional Python sub-subfolder) are put in the same directory as the LeechAgent before running the install command.
LeechAgent.exe -install
Installing the LeechAgent on a remote system (or on the local system) in the Program Files\LeechAgent folder. An Actice Directory environment with remote access to the Service Manager of the target system is required. For additional information see the wiki entry about installing LeechAgent.
LeechAgent.exe -remoteinstall <remotecomputer.contoso.com>
Uninstall an existing, locally installed, LeechAgent. The agent service will be uninstalled but any files will remain.
LeechAgent.exe -uninstall
Uninstall a LeechAgent from a remote system and delete the Program Files\LeechAgent folder.
LeechAgent.exe -remoteuninstall <remotecomputer.contoso.com>
Start the LeechAgent in interactive mode only accepting connections from administative users over kerberos-secured connections. Remember to start as elevated administrator if clients accessing LeechAgent should load WinPMEM to access live memory.
LeechAgent.exe -interactive
Start the LeechAgent in interactive insecure mode - accepting connections from all clients with access to port tcp/28473. NB! unauthenticated clients may dump memory and submit Python scripts running as SYSTEM. Use with care for testing only!
LeechAgent.exe -interactive -insecure
Start the LeechAgent in interactive mode with DumpIt LIVEKD to allow connecting clients to access live memory. Start as elevated administrator. Only accept connections from administative users over kerberos-secured connections.
DumpIt.exe /LIVEKD /A LeechAgent.exe /C -interactive
Start the LeechAgent in interactive mode with DumpIt LIVEKD to allow connecting clients to access live memory. Start as elevated administrator. Accept connections from all clients with access to port tcp/28473 without any form of authentication.
DumpIt.exe /LIVEKD /A LeechAgent.exe /C "-interactive -insecure"
Pre-built binaries, modules and configuration files are found in the latest release. Build instructions are found in the Wiki in the Building section.
PCILeech, MemProcFS and LeechCore are open source but not open contribution. PCILeech, MemProcFS and LeechCore offers a highly flexible plugin architecture that will allow for contributions in the form of plugins. If you wish to make a contribution, other than a plugin, to the core projects please contact me before starting to develop.
PCILeech and MemProcFS are hobby projects of mine. I put a lot of time and energy into my projects. The time being most of my spare time - since I'm not able to work with this. Unfortunately since some aspects also relate to hardware I also put quite some of money into my projects. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute.
Please do note that PCILeech and MemProcFS are free and open source - as such I'm not expecting donations; even though a donation would be very much appreciated. I'm also not able to promise product features, consultancy or other things in return for a donation. A donation will have to stay donation and no more. I'll set up the Github sponsors as soon as I'm able to; but for now it's possible to contribute with:
- Paypal:
paypal@ulffrisk.com - Bitcoin:
bc1q9kur5pym8wmh5yxkf65792rdqm0guncd2gl4tu
- Twitter:
- Discord:
- PCILeech: https://github.com/ufrisk/pcileech
- PCILeech FPGA: https://github.com/ufrisk/pcileech-fpga
- LeechCore: https://github.com/ufrisk/LeechCore
- MemProcFS: https://github.com/ufrisk/MemProcFS
- YouTube: https://www.youtube.com/channel/UC2aAi-gjqvKiC7s7Opzv9rg
- Blog: http://blog.frizk.net
PCILeech and MemProcFS are hobby projects of mine. I put a lot of time and energy into my projects. The time being most of my spare time - since I'm not able to work with this. Unfortunately since some aspects also relate to hardware I also put quite some of money into my projects. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute.
Please do note that PCILeech and MemProcFS are free and open source - as such I'm not expecting sponsorships; even though a sponsorship would be very much appreciated. I'm also not able to promise product features, consultancy or other things in return for a donation. A sponsorship will have to stay a sponsorship and no more. It's possible to sponsor via Github Sponsors.
- Github Sponsors:
https://github.com/sponsors/ufrisk
v1.0-1.8
- Initial Release and various updates. Please see individual relases for more information.
- API: New handle based API to support multiple concurrent open devices.
NB! API contains breaking changes compared to v1.x API versions. - FPGA related performance improvements and bug fixes.
- New features:
- AMD support.
- User-settable physical memory map.
- External device plugins - see the LeechCore-plugin project for details.
- Sysinternals LiveKd Hyper-V VM-introspection (slow).
- Bug fixes.
- Support for LiveCloudKd.
- Bug fixes.
- Minor API additions.
- FPGA: R/W "shadow" config space (requires v4.9+ bitstream).
- LeechAgent: Full multi-device support.