Security | DMA | Hacking

   Introducing the LeechAgent The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments. The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system - perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously. Physical memory analysis have many advantages - a main one being able to analyze the state of a system independently from the, potentially compromised, system APIs. The video below shows how easy it is to install the LeechAgent service on a remote computer and then using it to mount MemProcFS, dump physical memory and submit Pyth...

This blog entry aims to give an introduction to The Memory Process File System and show how easy it is to do high-performant memory analysis even from live remote systems over the network. This and much more is presented in my BlueHatIL 2019 talk on February 6th. Connect to a remote system over the network over a kerberos secured connection. Acquire only the live memory you require to do your analysis/forensics - even over medium latency/bandwidth connections. An easy to understand file system user interface combined with continuous background refreshes, made possible by the multi-threaded analysis core, provides an interesting new different way of performing incident response by live memory analysis. The image above shows the user staring MemProcFS.exe with a connection to the remote computer book-test.ad.frizk.net and with the DumpIt live memory acquisition method. it is then possible to analyze live memory simply by clicking around in the file system. Dumping the physical memory ...