LeechAgent_Install

Installing the LeechAgent service

This wiki entry is about installing the LeechAgent as a service on a remote or local computer. For general information about the LeechAgent check out the wiki entry about the LeechAgent or the general project README.

The video below shows the process of installing the LeechAgent to a remote computer, connecting to it with MemProcFS to analyze and dump the memory while also connecting to it in parallel with PCILecch to submit a Python memory analysis script that make use of the MemProcFS API to analyze the remote CPU page tables for rwx-sections. Click on the video to open a higher-quality version on Youtube.

64-bit and 32-bit:

The LeechAgent supports both 32-bit and 64-bit Windows systems. The 64-bit LeechAgent is strongly recommended!

The LeechAgent may be downloaded from the LeechCore repository on Github. For ease of use the WinPMEM memory acquisition driver and remote MemProcFS are included from the start in the release download.

Optional dependencies:

• Python - download Windows x86-64 embeddable zip file from python.org and unzip its contents in the LeechAgent\Python sub-folder.

Target system requirements:

• Windows 7 or later.
• Bitness - it's not possible to install the 64-bit version of the LeechAgent on a 32-bit system.
• Administrative access - user running the LeechAgent installation is required to be an administrator on the remote computer. If installing on localhost the user is required to be an elevated administrator.
• File share - Installation - access to the C$ administrative file share.
• Firewall openings - Installation - access to the service control manager (SCM) and file sharing is required for remote installation/uninstallation only. Please find example openings in the image below:

• Firewall openings - Using: Access to the LeechAgent tcp/445 or tcp/28473 is required. Please find an example opening of tcp/28473 in the image below. Note that if you connect over SMB - tcp/445 this firewall opening is not required.

Local Installation:

It's possible to install the LeechAgent locally without copying the files to the default Program Files folder. In order to copy files to the default Program Files folder please follow the remote installation examples and set the remote computer to the local computer. Note! Installation towards the local computer must always happen as elevated administrator even if using the remote method.

Install the LeechAgent locally. The LeechAgent and its dependencies are already located on a non-removable fixed local drive - ideally C:. The command must be run as elevated administrator.

• LeechAgent.exe -install

Remote Installation:

It's possible to install the LeechAgent and its dependencies to a remote computer. To do so execute the command below (replace the remotehost.contoso.com with your target computer of choice). The dependencies and requirements detailed in the above sections must be satisfied prior to executing the -remoteinstall command.

• LeechAgent.exe -remoteinstall remotehost.contoso.com

Updating or Uninstalling:

It's possible to update or uninstall a remote LeechAgent. The same requirements as for installation applies. Upgrading a LeechAgent is the same as first uninstalling it completely and then installing the new version.

Uninstall a remote LeechAgent by deleting the service and removing the files from the Program Files\LeechAgent directory.

• LeechAgent.exe -remoteuninstall remotehost.contoso.com

Uninstall a LeechAgent from the local computer by deleting its service but leaving any files intact on the file system. Command must be run as elevated administrator.

• LeechAgent.exe -uninstall

Update a remote LeechAgent by first uninstalling the existing version and and then installing the new version.

• LeechAgent.exe -remoteupdate remotehost.contoso.com