Wednesday, February 6, 2019

Remote LIVE Memory Analysis with The Memory Process File System v2.0

This blog entry aims to give an introduction to The Memory Process File System and show how easy it is to do high-performant memory analysis even from live remote systems over the network.

This and much more is presented in my BlueHatIL 2019 talk on February 6th.

Connect to a remote system over the network over a kerberos secured connection. Acquire only the live memory you require to do your analysis/forensics - even over medium latency/bandwidth connections.

An easy to understand file system user interface combined with continuous background refreshes, made possible by the multi-threaded analysis core, provides an interesting new different way of performing incident response by live memory analysis.

Analyzing and Dumping remote live memory with the Memory Process File System.
The image above shows the user staring MemProcFS.exe with a connection to the remote computer book-test.ad.frizk.net and with the DumpIt live memory acquisition method. it is then possible to analyze live memory simply by clicking around in the file system. Dumping the physical memory is done by copying the pmem file in the root folder.

Background
The Memory Process File System was released for PCILeech in March 2018, supporting 64-bit Windows, and was used to find the Total Meltdown / CVE-2018-1038 page table permission bit vulnerability in the Windows 7 kernel. People have also used it to cheat in games - primarily cs:go using it via the PCILeech API.

The Memory Process File System was released as a stand-alone project focusing exclusively on memory analysis in November 2018. The initial release included both APIs and Plugins for C/C++ and a Python. Support was added soon thereafter for 32-bit memory models and Windows support was expanded as far back as Windows XP.

What is new?
Version 2.0 of The Memory Process File System marks a major release that was released in conjunction with the BlueHatIL 2019 talk Practical Uses for Hardware-assisted Memory Visualization.

New functionality includes:
  • A new separate physical memory acquisition library - the LeechCore.
  • Live memory acquisition with DumpIt or WinPMEM.
  • Remote memory capture via a remotely running LeechService.
  • Support from Microsoft Crash Dumps and Hyper-V save files.
  • Full multi-threaded support in the memory analysis library.
  • Major performance optimizations.
The combination live memory capture via Comae DumpIt, or WinPMEM, and secure remote access may be interesting both for convenience and incident-response. It even works remarkably well over medium latency- and bandwidth connections.

The LeechCore library
The LeechCore library, focusing exclusively on memory acquisition, is released as a standalone open source project as a part of The Memory Process File System v2 release. The LeechCore library abstracts memory acquisition from analysis and makes things more modular and easier to re-use. The library supports multiple memory acquisition methods - such as:
  • Hardware: USB3380, PCILeech FPGA and iLO
  • Live memory: Comae DumpIt and WinPMEM
  • Dump files: raw memory dump files, full crash dump files and Hyper-V save files.
The LeechCore library also allows for transparently connecting to a remote LeechService running on a remote system over a compressed mutually authenticated RPC connection secured by Kerberos. Once connected any of the supported memory acquisition methods may be used.

The LeechService
The LeechService may be installed as a service with the command LeechSvc.exe install. Make sure all necessary dependencies are in the folder of leechsvc.exe - i.e. leechcore.dll and att_winpmem_64.sys (if using winpmem). The LeechService will write an entry, containing the kerberos SPN to the application event log once started provided that the computer is a part of an Active Directory domain.
The LeechService is installed and started with the Kerberos SPN: book-test$@AD.FRIZK.NET
Now connect to the remote LeechService with The Memory Process File System - provided that the port 28473 is open in the firewall. The connecting user must be an administrator on the system being analyzed. An event will also be logged for each successful connection. In the example below winpmem is used.
Securely connected to the remote system - acquiring and analyzing live memory.
It's also possible to start the LeechService in interactive mode. If starting it in interactive mode it can be started with DumpIt to provide more stable memory acquisition. It may also be started in insecure no-security mode - which may be useful if the computer is not joined to an Active Directory domain.
Using DumpIt to start the LeechSvc in interactive insecure mode.
If started in insecure mode everyone with access to port 28473 will be able to connect and capture live memory. No logs will be written. The insecure mode is not available in service mode. It is only recommended in secure environments in which the target computer is not domain joined. Please also note that it is also possible to start the LeechService in interactive secure mode.

To connect to the example system from a remote system specify:
MemProcFS.exe -device dumpit -remote rpc://insecure:<address_of_remote_system>

How do I try it out?
Yes! - both the Memory Process File System and the LeechService is 100% open source.
  1. Download The Memory Process File System from Github - pre-built binaries are found in the files folder. Also, follow the instructions to install the open source Dokany file system.
  2. Download the LeechService from Github - pre-built binaries with no external dependencies are found in the files folder. Please also note that you may have to download Comae DumpIt or WinPMEM (download and copy .sys driver file to directory of MemProcFS.exe) to acquire live memory.

The Future
Please do keep in mind that this is a hobby project. Since I'm not working professionally with this future updates may take time and are also not guaranteed.

The Memory Process File System and the LeechCore is already somewhat mature with its focus on fast, efficient, multi-threaded live memory acquisition and analysis even though current functionality is somewhat limited.

The plan for the near future is to add additional core functionality - such as page hashing and PFN database support. Page hashing will allow for more efficient remote memory acquisition and better forensics capabilities. PFN database support will strengthen virtual memory support in general.

Also, additional and more efficient analysis methods - primarily in the form of new plugins will also be added in the medium future.

Support for additional operating systems, such as Linux and macOS is a long-term goal. It shall however be noted that the LeechCore library is already supported on Linux.

Update
2019-02-18: Please also have a look at my Microsoft BlueHatIL 2019 talk in which I, among other things, talk about using the Memory Process File System v2.0 with the remote capture functionality discussed in this blog post. In the talk I also make use the Python API and demo the "Total Meltdown/CVE-2018-1038" vulnerability.



23 comments:

  1. Does this mean a memory pull from a hyperv VM can be straight analyzed using Volatility without any converters?

    ReplyDelete
  2. The post is written in very a good manner and it contains many useful information for me.


    gexton safety system

    ReplyDelete
  3. Excellent information, This information will always help to everyone for gaining knowledge. So please always share your valuable information. I am very thankful to you for providing good information. CCTV security system installation Birmingham

    ReplyDelete
  4. After reading the post about Business, I got some descriptive information which is very helpful for me. Thanks for posting it. Keep it up. email password hacker online

    ReplyDelete
  5. I always check this type of advisory post and I found your article which is related to my interest. This is a great way to increase knowledge for us. Thanks for sharing an article like this. Cyber Security Latest News Canada

    ReplyDelete
  6. Excellent post. I really enjoy reading and also appreciate your work. This concept is a good way to enhance knowledge. Keep sharing this kind of articles, Thank you. wireless cctv camera bangalore

    ReplyDelete
  7. Excellent knowledge, You are providing important knowledge. It is really helpful and factual information for us and everyone to increase knowledge. Continue sharing your data. Thank you. security services Miami

    ReplyDelete
  8. I just need to say this is a well-informed article which you have shared here. It is an engaging and gainful article for us. Hire A Verified Hacker Continue imparting this sort of info, Thanks to you.

    ReplyDelete
  9. I generally check this kind of article and I found your article which is related to my interest. Genuinely it is good and instructive information. Thankful to you for sharing an article like this. Buy 30 Day Discord Chatter in Usa

    ReplyDelete
  10. This post is so useful and valuable to increase our knowledge. I am happy that you have shared great info with us. Grateful to you for sharing an article like this.soc service in USA

    ReplyDelete
  11. I read this article, it is really informative one. Your way of writing and making things clear is very impressive. Thanking you for such an informative article.ISO 9001 certification in Abu Dhabi site.

    ReplyDelete
  12. Do you learn better in-person with guidance from a teacher? Someone you can ask questions and get customized responses from? Or are you more of a self-starter who can seek out the answers you need online? Can you motivate yourself, or do you need some external push to get you to learn? Get into Cybersecurity With No Experience

    ReplyDelete
  13. Very well written article. It was an awesome article to read. about Hire A Professional Lottery Hacker in Usa Complete rich content and fully informative. I totally Loved it.

    ReplyDelete
  14. Good information, thank you very much for sharing this valuable knowledge. I glad to read Thank you . Powertrac 445

    ReplyDelete
  15. I found decent information in your article. I am impressed with how nicely you described this subject, It is a gainful article for us. Thanks for share it.Hire Hacker For Email Password

    ReplyDelete
  16. I found decent information in your article. I am impressed with how nicely you described this subject, It is a gainful article for us. Thanks for share it. Identity Theft Protection Software

    ReplyDelete
  17. I always check this type of advisory post and I found your article which is related to my interest. Door supervisor course This is a great way to increase knowledge for us. Thanks for sharing an article like this.

    ReplyDelete
  18. This post is really awesome. Genuinely i like this blog. It gives me more useful information. I hope you share lots of things with us .Small Business Cyber Security Solutions

    ReplyDelete
  19. I regularly review advisory posts like yours, and I came across your article, which aligns with my interests. It's an excellent method for expanding our knowledge. Appreciate you sharing such articles.
    ISO 50001 Lead Auditor Training

    ReplyDelete
  20. Great job for publishing such a nice article about the trendzguruji.me cyber security. Your article isn’t only useful but it is additionally really informative.

    ReplyDelete