Last active
July 30, 2020 13:09
-
-
Save scudette/6dfa5a528d43f8df1f13bae5a78862a0 to your computer and use it in GitHub Desktop.
Uploader with memory acquisition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
autoexec: | |
argv: | |
- "-v" | |
- "artifacts" | |
- "collect" | |
- MemoryAcquisition | |
artifact_definitions: | |
- name: MemoryAcquisition | |
description: | | |
This artifact extracts the winpmem.exe binary from a zip file appended to the | |
running executable and then uses it to take a memory image. It then uploads | |
the image to an S3 bucket automatically. | |
Before you can use this artifact you need to prepare the binary by compressing | |
winpmem.exe into a payload zip, then appending the zip to the repacked | |
executable. | |
``` | |
$ zip payload.zip winpmem.exe | |
$ velociraptor config repack --binary velociraptor.exe autoexec.yaml my_velo.exe --append payload.zip | |
``` | |
This command: | |
1. Takes the windows binary and repacks autoexec.yaml into it | |
2. Appends the payload.zip to the end of my_velo.exe (adjusting PE headers as necessary). | |
3. When run, the autoexec config will be loaded and immediately collect memory, into a tempfile | |
then upload to S3 and finally clean up the tempfiles. | |
parameters: | |
- name: Bucket | |
default: upload.bucket.example.com | |
- name: Region | |
default: ap-southeast-2 | |
- name: key | |
default: BucketKey | |
- name: secret | |
default: BucketSecret | |
sources: | |
- queries: | |
# Get the path to our own executable. | |
- LET me = SELECT Exe FROM pslist(pid=getpid()) | |
# Open our own executable as a zip file and glob | |
# all the members for name matching winpmem | |
- LET winpmem = SELECT FullPath FROM glob( | |
globs=url(scheme='file', | |
path=me.Exe[0], | |
fragment="/**").String, | |
accessor='zip') | |
WHERE FullPath =~ 'winpmem' | |
# Create a tempfile for the aff4 image file. | |
- LET temp1 <= SELECT tempfile(extension=".aff4") AS Filename FROM scope() | |
# Get the hostname | |
- LET hostinfo = SELECT * FROM info() | |
# Copy the winpmem.exe out of the zip into a tempfile then run it | |
# with the correct flags to write the image to the tempfile above | |
# Note <= will force us to wait here until the whole image is done. | |
- LET image <= SELECT * FROM execve(argv=[ | |
copy(filename=winpmem.FullPath[0], | |
accessor='zip', | |
dest=tempfile(extension='.exe')), | |
"-o", temp1.Filename[0], "-dd"]) | |
# Upload the image to the s3 bucket with hostname and | |
# timestamp filename. | |
- SELECT upload_s3(file=temp1.Filename[0], | |
bucket=Bucket, | |
name=format(format="%v-%v-Memory.zip", args=[hostinfo.Fqdn[0], | |
timestamp(epoch=now())]), | |
region=Region, | |
credentialskey=key, | |
credentialssecret=secret), { | |
SELECT * FROM image | |
} AS Output | |
FROM scope() LIMIT 1 |
This is no longer needed as it is integrated into the Offline Collector GUI - simply select Windows.Memory.Acquisition to add to the collector.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to package the binary with Velociraptor you need to create a zip file containing the winpmem.exe binary and append it to the binary using the --append flag