LeechAgent_Install

Installing the LeechAgent service

⚠️ The entry is about installing LeechAgent on Windows. The LeechAgent exists for Linux as well, but have to be installed manually. Check out the LeechAgent overview for general information about both Windows and Linux agents.

This wiki entry is about installing the Windows version of the LeechAgent as a service on a remote or local computer. For general information about the LeechAgent check out the wiki entry about the LeechAgent or the general project README.

The video below shows the process of installing the LeechAgent to a remote computer, connecting to it with MemProcFS to analyze and dump the memory while also connecting to it in parallel with PCILecch to submit a Python memory analysis script that make use of the MemProcFS API to analyze the remote CPU page tables for rwx-sections.

64-bit and 32-bit:

The LeechAgent supports both 32-bit and 64-bit Windows systems. The 64-bit LeechAgent is strongly recommended!

The LeechAgent may be downloaded from the LeechCore repository on Github. For ease of use the WinPMEM memory acquisition driver and remote MemProcFS are included from the start in the release download.

gRPC mTLS support:

This section is only relevant if gRPC should be enabled in addition to MS-RPC which is enabled by default.

The LeechAgent optionally supports gRPC with mTLS certificate based authentication. gRPC is not enabled by default and will have to be manually enabled. gRPC allows for clients on Linux and macOS to connect using mTLS certificate based authentication. For all command line arguments see the LeechAgent overview

Ensure the file libleechgrpc.dll is alongside leechagent.exe. It's packaged by default.
Create the file leechagent_config.txt in the folder of leechagent.exe. leechagent_config.txt will contain command line arguments for LeechAgent necessary to start LeechAgent in gRPC mode.
In the file leechagent_config.txt add:

-grpc -grpc-tls-p12 <tls_server_cert_p12_pfx_file> -grpc-tls-p12-password <p12_password> -grpc-client-ca <client_cert_ca_file>

Start or install LeechAgent as normal.

Optional dependencies:

Python - download Windows x86-64 embeddable zip file from python.org and unzip its contents in the LeechAgent\Python sub-folder.

Target system requirements:

Windows 7 or later.
Bitness - it's not possible to install the 64-bit version of the LeechAgent on a 32-bit system.
Administrative access - user running the LeechAgent installation is required to be an administrator on the remote computer. If installing on localhost the user is required to be an elevated administrator.
File share - Installation - access to the C$ administrative file share.
Firewall openings - Installation - access to the service control manager (SCM) and file sharing is required for remote installation/uninstallation only. Please find example openings in the image below:

Firewall openings - Using: Access to the LeechAgent tcp/445 (smb), tcp/28473 (rpc) or tcp/28474 (gRPC) is required. Please find an example opening of tcp/28473 in the image below. Note that if you connect over SMB - tcp/445 this firewall opening is not required.

Local Installation:

It's possible to install the LeechAgent locally without copying the files to the default Program Files folder. In order to copy files to the default Program Files folder please follow the remote installation examples and set the remote computer to the local computer. Note! Installation towards the local computer must always happen as elevated administrator even if using the remote method.

Install the LeechAgent locally. The LeechAgent and its dependencies are already located on a non-removable fixed local drive - ideally C:. The command must be run as elevated administrator.

LeechAgent.exe -install

Remote Installation:

It's possible to install the LeechAgent and its dependencies to a remote computer. To do so execute the command below (replace the remotehost.contoso.com with your target computer of choice). The dependencies and requirements detailed in the above sections must be satisfied prior to executing the -remoteinstall command.

LeechAgent.exe -remoteinstall remotehost.contoso.com

Updating or Uninstalling:

It's possible to update or uninstall a remote LeechAgent. The same requirements as for installation applies. Upgrading a LeechAgent is the same as first uninstalling it completely and then installing the new version.

Uninstall a remote LeechAgent by deleting the service and removing the files from the Program Files\LeechAgent directory.

LeechAgent.exe -remoteuninstall remotehost.contoso.com

Uninstall a LeechAgent from the local computer by deleting its service but leaving any files intact on the file system. Command must be run as elevated administrator.

LeechAgent.exe -uninstall

Update a remote LeechAgent by first uninstalling the existing version and and then installing the new version.

LeechAgent.exe -remoteupdate remotehost.contoso.com

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

Home

API

Acquisition Methods

FILE
REMOTE
EXISTING
HW: USB3380
HW: FPGA
- DMA not working
- DMA on AMD/
  Thunderbolt
HW: FPGA/RawUDP
HW: iLO/RawTCP
Hyper-V Saved State
TotalMeltdown
DumpIt
LiveKd
LiveCloudKd
QEMU
VMWare
WinPMEM

LeechAgent

Overview
Installing

Development

Building

Provide feedback

Saved searches

Use saved searches to filter your results more quickly