-
-
Notifications
You must be signed in to change notification settings - Fork 104
LeechAgent_Install
⚠️ LeechAgent is only available on Windows. It is not possible to either install nor connect to an installed LeechAgent from Linux.
This wiki entry is about installing the LeechAgent as a service on a remote or local computer. For general information about the LeechAgent check out the wiki entry about the LeechAgent or the general project README.
The video below shows the process of installing the LeechAgent to a remote computer, connecting to it with MemProcFS to analyze and dump the memory while also connecting to it in parallel with PCILecch to submit a Python memory analysis script that make use of the MemProcFS API to analyze the remote CPU page tables for rwx-sections.
The LeechAgent supports both 32-bit and 64-bit Windows systems. The 64-bit LeechAgent is strongly recommended!
The LeechAgent may be downloaded from the LeechCore repository on Github. For ease of use the WinPMEM memory acquisition driver and remote MemProcFS are included from the start in the release download.
-
Python - download Windows x86-64 embeddable zip file from python.org and unzip its contents in the
LeechAgent\Python
sub-folder.
- Windows 7 or later.
- Bitness - it's not possible to install the 64-bit version of the LeechAgent on a 32-bit system.
- Administrative access - user running the LeechAgent installation is required to be an administrator on the remote computer. If installing on localhost the user is required to be an elevated administrator.
-
File share - Installation - access to the
C$
administrative file share. - Firewall openings - Installation - access to the service control manager (SCM) and file sharing is required for remote installation/uninstallation only. Please find example openings in the image below:
-
Firewall openings - Using: Access to the LeechAgent
tcp/445
ortcp/28473
is required. Please find an example opening oftcp/28473
in the image below. Note that if you connect over SMB -tcp/445
this firewall opening is not required.
It's possible to install the LeechAgent locally without copying the files to the default Program Files
folder. In order to copy files to the default Program Files
folder please follow the remote installation examples and set the remote computer to the local computer. Note! Installation towards the local computer must always happen as elevated administrator even if using the remote method.
Install the LeechAgent locally. The LeechAgent and its dependencies are already located on a non-removable fixed local drive - ideally C:
. The command must be run as elevated administrator.
LeechAgent.exe -install
It's possible to install the LeechAgent and its dependencies to a remote computer. To do so execute the command below (replace the remotehost.contoso.com
with your target computer of choice). The dependencies and requirements detailed in the above sections must be satisfied prior to executing the -remoteinstall
command.
LeechAgent.exe -remoteinstall remotehost.contoso.com
It's possible to update or uninstall a remote LeechAgent. The same requirements as for installation applies. Upgrading a LeechAgent is the same as first uninstalling it completely and then installing the new version.
Uninstall a remote LeechAgent by deleting the service and removing the files from the Program Files\LeechAgent
directory.
LeechAgent.exe -remoteuninstall remotehost.contoso.com
Uninstall a LeechAgent from the local computer by deleting its service but leaving any files intact on the file system. Command must be run as elevated administrator.
LeechAgent.exe -uninstall
Update a remote LeechAgent by first uninstalling the existing version and and then installing the new version.
LeechAgent.exe -remoteupdate remotehost.contoso.com
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: /~https://github.com/sponsors/ufrisk
Thank You 💖