Skip to content

Instantly share code, notes, and snippets.

@scudette
Last active July 30, 2020 13:09
Show Gist options
  • Save scudette/6dfa5a528d43f8df1f13bae5a78862a0 to your computer and use it in GitHub Desktop.
Save scudette/6dfa5a528d43f8df1f13bae5a78862a0 to your computer and use it in GitHub Desktop.
Uploader with memory acquisition
autoexec:
argv:
- "-v"
- "artifacts"
- "collect"
- MemoryAcquisition
artifact_definitions:
- name: MemoryAcquisition
description: |
This artifact extracts the winpmem.exe binary from a zip file appended to the
running executable and then uses it to take a memory image. It then uploads
the image to an S3 bucket automatically.
Before you can use this artifact you need to prepare the binary by compressing
winpmem.exe into a payload zip, then appending the zip to the repacked
executable.
```
$ zip payload.zip winpmem.exe
$ velociraptor config repack --binary velociraptor.exe autoexec.yaml my_velo.exe --append payload.zip
```
This command:
1. Takes the windows binary and repacks autoexec.yaml into it
2. Appends the payload.zip to the end of my_velo.exe (adjusting PE headers as necessary).
3. When run, the autoexec config will be loaded and immediately collect memory, into a tempfile
then upload to S3 and finally clean up the tempfiles.
parameters:
- name: Bucket
default: upload.bucket.example.com
- name: Region
default: ap-southeast-2
- name: key
default: BucketKey
- name: secret
default: BucketSecret
sources:
- queries:
# Get the path to our own executable.
- LET me = SELECT Exe FROM pslist(pid=getpid())
# Open our own executable as a zip file and glob
# all the members for name matching winpmem
- LET winpmem = SELECT FullPath FROM glob(
globs=url(scheme='file',
path=me.Exe[0],
fragment="/**").String,
accessor='zip')
WHERE FullPath =~ 'winpmem'
# Create a tempfile for the aff4 image file.
- LET temp1 <= SELECT tempfile(extension=".aff4") AS Filename FROM scope()
# Get the hostname
- LET hostinfo = SELECT * FROM info()
# Copy the winpmem.exe out of the zip into a tempfile then run it
# with the correct flags to write the image to the tempfile above
# Note <= will force us to wait here until the whole image is done.
- LET image <= SELECT * FROM execve(argv=[
copy(filename=winpmem.FullPath[0],
accessor='zip',
dest=tempfile(extension='.exe')),
"-o", temp1.Filename[0], "-dd"])
# Upload the image to the s3 bucket with hostname and
# timestamp filename.
- SELECT upload_s3(file=temp1.Filename[0],
bucket=Bucket,
name=format(format="%v-%v-Memory.zip", args=[hostinfo.Fqdn[0],
timestamp(epoch=now())]),
region=Region,
credentialskey=key,
credentialssecret=secret), {
SELECT * FROM image
} AS Output
FROM scope() LIMIT 1
@scudette
Copy link
Author

In order to package the binary with Velociraptor you need to create a zip file containing the winpmem.exe binary and append it to the binary using the --append flag

$ zip payload.zip winpmem.exe   (or use explorer/send to archive)
$ velociraptor.exe -v config repack autoexec.yaml my_velo.exe  --append payload.zip

@scudette
Copy link
Author

This is no longer needed as it is integrated into the Offline Collector GUI - simply select Windows.Memory.Acquisition to add to the collector.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment