Friday, April 5, 2019

Introducing the LeechAgent

The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments.

The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system - perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously.

Physical memory analysis have many advantages - a main one being able to analyze the state of a system independently from the, potentially compromised, system APIs.

The video below shows how easy it is to install the LeechAgent service on a remote computer and then using it to mount MemProcFS, dump physical memory and submit Python analysis scripts using the MemProcFS API to the remote LeechAgent.

The LeechAgent offers security and simplicity. Security is built transparently upon built-in Windows functionality. Only administrators are allowed to connect. Other authentication mechanisms does not exist. This simplicity means that there is no need to create users, provision certificates or set up authentication mechanisms to use the LeechAgent. Everything required for security is already there without any configuration!

Using the LeechAgent
The LeechAgent allows up to 10 simultaneously connected clients to remotely acquire physical memory and execute code in the form of Python analysis scripts with access to the MemProcFS API. Use command-line PCILeech or file-system based MemProcFS to dump the physical memory from the remote computer running the LeechAgent. Use the MemProcFS file system and/or API to quickly analyze the memory of the remote computer.
Using MemProcFS to mount the physical memory of the remote computer as a File System - enabling quick and easy access to remote physical memory with your favorite tools - or just for taking a quick look.
Acquring memory from the remote computer running the LeechAgent works fairly well even over medium-bandwidth medium-latency network connections. It may also be desirable to execute a Python memory analysis script accessing the MemProcFS API directly on the remote computer. The LeechAgent will upon receival of a script automatically spawn an embedded Python environment and execute the script. The Python analysis script will never touch disk on the target system.

This approach has many advantages. The main advantage is that physical memory may be accessed locally on the remote system - completely eliminating bandwidth and latency issues - making it ideal for physical memory analysis even over low-bandwith and highly laggy networks. Also since workload is shifted to the LeechAgent scripts may be run simultaneous on a large number of hosts - for example in an incident response scenario.

More information about the MemProcFS Python API is available in the MemProcFS wiki.

Consider you have a Python script looking for read-write-execute sections in user-mode applications by analyzing physical memory. This may be useful for some kinds of malware. Please note that rwx-sections may also exist in legit applications in some cases.

The script retrieves process information for all processes and then iterates over each process and will retrieve its memory map by walking the CPU page tables.
Sample Python script making use of the VmmPy MemProcFS API to analyze memory.
Submit the Python memory analysis script to the remote LeechAgent with PCILeech and wait for the result. The LeechAgent will capture all output written to the console by the submitted analysis script.
Submitting the analysis script to the remote LeechAgent and waiting for the result.
If anything should go wrong with the analysis script - for example if it should happen to contain a never ending loop execution will automatically be aborted after two minutes. In rare cases it may also be a good idea to disconnect all clients from the remote LeechAgent and wait a few minutes for it to clean up any problematic jobs.

Installing the LeechAgent
The LeechAgent supports both 32-bit and 64-bit Windows systems. The 32-bit version will work on both 32-bit and 64-bit systems - but in limited mode without the ability to process memory analysis scripts on the remote host. The 64-bit LeechAgent is strongly recommended!

The LeechAgent may be downloaded from the LeechCore repository on Github. The 64-bit version of the LeechAgent is located in LeechCore/files/agent/x64. The LeechAgent have dependencies on Python for analysis and WinPMEM for memory dumping. DumpIt may also be used for memory dumping if running in interactive (non-service) mode.

Target system requirements:
  • Windows 7 or later.
  • Bitness - it's not possible to install the 64-bit version of the LeechAgent on a 32-bit system.
  • Active Directory environment: if installing as a service. (In lab environments it's possible to execute LeechAgent in an unauthenticated insecure mode which does not rely on Active Directory for authentication).
  • Administrative access: user running the LeechAgent installation is required to be an administrator on the remote computer. If installing on localhost the user is required to be an elevated administrator.
  • File share - Installation: access to the C$ administrative file share.
  • Firewall openings - Installation: Access to the service control manager (SCM) and File sharing is required for installation only.
  • Firewall openings - Using: Access to the LeechAgent or tcp/28473 is required.
Windows firewall rules recommended for remote LeechAgent installation.
Windows Firewall rule for the LeechAgent endpoint - tcp/28473.

Installation is easy - run the command:

LeechAgent.exe -remoteinstall <remote_computer_name>

The LeechAgent and its dependencies will be copied to the Program Files\LeechAgent directory of the remote host. Uninstallation is possible in a similar way but with the -remoteuninstall command.

Security and Authentication
The primary design goal of the LeechAgent is to keep it simple and secure.

The LeechAgent relies exclusively on built-in Windows functionality for Kerberos authentication of connecting clients. Only remote users with administrative privileges on the computer running the LeechAgent are allowed to connect. In addition to this the connecting client is also required, by default, to verify the authenticity of the LeechAgent by supplying the Kerberos SPN of the user that runs the LeechAgent. This is usually the Active Directory computer account.
Connecting client mutually authenticates the remote LeechAgent user for additional security.

The RPC connection between connecting client and the remote LeechAgent is secured by mutually authenticated Kerberos and is also encrypted using built-in Windows functionality also relying on Kerberos.The connection is also compressed if both client and server is running on Windows 10.

Connecting clients are logged to the Application Event Log the computer running the LeechAgent.
The connecting user is logged to the Application Event Log by the LeechAgent.

Note! The LeechAgent allows authenticated remote administrators to both access physical memory and run arbitrary code as SYSTEM on the computer running the LeechAgent. This is by design. Since only administrators are allowed to connect this is not a security issue.

Note! It's also possible possible to run the LeechAgent without any form of authentication in interactive mode only. This is not recommended and should only be used in otherwise secure lab environments.

The Future
The primary design goal is to keep the LeechAgent secure, simple and easy to use. As such it's not likely that more authentication mechanisms or supported operating systems will be added in the near future. For now built-in Kerberos-based Windows authentication is suficient.

The MemProcFS Python API, while fast and powerful, is still somewhat limited. New and extended API functionality is a priority.

Also further optimizations of memory dumping will be looked into.

The MemProcFS Python API is already fast - the underlying multi-threaded native C analysis library is amazingly fast - but things may always be improved. Additional performance optimizations are planned.

Links and Additional information
The LeechAgent, PCILeech and MemProcFS are available for free on Github and are all licensed as Open Source GPLv3. Please find the projects below:
LeechAgent and LeechCore

Wednesday, February 6, 2019

Remote LIVE Memory Analysis with The Memory Process File System v2.0

This blog entry aims to give an introduction to The Memory Process File System and show how easy it is to do high-performant memory analysis even from live remote systems over the network.

This and much more is presented in my BlueHatIL 2019 talk on February 6th.

Connect to a remote system over the network over a kerberos secured connection. Acquire only the live memory you require to do your analysis/forensics - even over medium latency/bandwidth connections.

An easy to understand file system user interface combined with continuous background refreshes, made possible by the multi-threaded analysis core, provides an interesting new different way of performing incident response by live memory analysis.

Analyzing and Dumping remote live memory with the Memory Process File System.
The image above shows the user staring MemProcFS.exe with a connection to the remote computer and with the DumpIt live memory acquisition method. it is then possible to analyze live memory simply by clicking around in the file system. Dumping the physical memory is done by copying the pmem file in the root folder.

The Memory Process File System was released for PCILeech in March 2018, supporting 64-bit Windows, and was used to find the Total Meltdown / CVE-2018-1038 page table permission bit vulnerability in the Windows 7 kernel. People have also used it to cheat in games - primarily cs:go using it via the PCILeech API.

The Memory Process File System was released as a stand-alone project focusing exclusively on memory analysis in November 2018. The initial release included both APIs and Plugins for C/C++ and a Python. Support was added soon thereafter for 32-bit memory models and Windows support was expanded as far back as Windows XP.

What is new?
Version 2.0 of The Memory Process File System marks a major release that was released in conjunction with the BlueHatIL 2019 talk Practical Uses for Hardware-assisted Memory Visualization.

New functionality includes:
  • A new separate physical memory acquisition library - the LeechCore.
  • Live memory acquisition with DumpIt or WinPMEM.
  • Remote memory capture via a remotely running LeechService.
  • Support from Microsoft Crash Dumps and Hyper-V save files.
  • Full multi-threaded support in the memory analysis library.
  • Major performance optimizations.
The combination live memory capture via Comae DumpIt, or WinPMEM, and secure remote access may be interesting both for convenience and incident-response. It even works remarkably well over medium latency- and bandwidth connections.

The LeechCore library
The LeechCore library, focusing exclusively on memory acquisition, is released as a standalone open source project as a part of The Memory Process File System v2 release. The LeechCore library abstracts memory acquisition from analysis and makes things more modular and easier to re-use. The library supports multiple memory acquisition methods - such as:
  • Hardware: USB3380, PCILeech FPGA and iLO
  • Live memory: Comae DumpIt and WinPMEM
  • Dump files: raw memory dump files, full crash dump files and Hyper-V save files.
The LeechCore library also allows for transparently connecting to a remote LeechService running on a remote system over a compressed mutually authenticated RPC connection secured by Kerberos. Once connected any of the supported memory acquisition methods may be used.

The LeechService
The LeechService may be installed as a service with the command LeechSvc.exe install. Make sure all necessary dependencies are in the folder of leechsvc.exe - i.e. leechcore.dll and att_winpmem_64.sys (if using winpmem). The LeechService will write an entry, containing the kerberos SPN to the application event log once started provided that the computer is a part of an Active Directory domain.
The LeechService is installed and started with the Kerberos SPN: book-test$@AD.FRIZK.NET
Now connect to the remote LeechService with The Memory Process File System - provided that the port 28473 is open in the firewall. The connecting user must be an administrator on the system being analyzed. An event will also be logged for each successful connection. In the example below winpmem is used.
Securely connected to the remote system - acquiring and analyzing live memory.
It's also possible to start the LeechService in interactive mode. If starting it in interactive mode it can be started with DumpIt to provide more stable memory acquisition. It may also be started in insecure no-security mode - which may be useful if the computer is not joined to an Active Directory domain.
Using DumpIt to start the LeechSvc in interactive insecure mode.
If started in insecure mode everyone with access to port 28473 will be able to connect and capture live memory. No logs will be written. The insecure mode is not available in service mode. It is only recommended in secure environments in which the target computer is not domain joined. Please also note that it is also possible to start the LeechService in interactive secure mode.

To connect to the example system from a remote system specify:
MemProcFS.exe -device dumpit -remote rpc://insecure:<address_of_remote_system>

How do I try it out?
Yes! - both the Memory Process File System and the LeechService is 100% open source.
  1. Download The Memory Process File System from Github - pre-built binaries are found in the files folder. Also, follow the instructions to install the open source Dokany file system.
  2. Download the LeechService from Github - pre-built binaries with no external dependencies are found in the files folder. Please also note that you may have to download Comae DumpIt or WinPMEM (download and copy .sys driver file to directory of MemProcFS.exe) to acquire live memory.

The Future
Please do keep in mind that this is a hobby project. Since I'm not working professionally with this future updates may take time and are also not guaranteed.

The Memory Process File System and the LeechCore is already somewhat mature with its focus on fast, efficient, multi-threaded live memory acquisition and analysis even though current functionality is somewhat limited.

The plan for the near future is to add additional core functionality - such as page hashing and PFN database support. Page hashing will allow for more efficient remote memory acquisition and better forensics capabilities. PFN database support will strengthen virtual memory support in general.

Also, additional and more efficient analysis methods - primarily in the form of new plugins will also be added in the medium future.

Support for additional operating systems, such as Linux and macOS is a long-term goal. It shall however be noted that the LeechCore library is already supported on Linux.

2019-02-18: Please also have a look at my Microsoft BlueHatIL 2019 talk in which I, among other things, talk about using the Memory Process File System v2.0 with the remote capture functionality discussed in this blog post. In the talk I also make use the Python API and demo the "Total Meltdown/CVE-2018-1038" vulnerability.