page-brute


Namepage-brute JSON
Version 1.0.0 PyPI version JSON
download
home_pageNone
SummaryPython 3 Windows Pagefile analysis tool
upload_time2025-02-02 18:00:28
maintainerNone
docs_urlNone
authorNone
requires_python>=3.9
licenseNone
keywords digital forensics dfir pagefile brute
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            page-brute
==========

**page-brute** is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. 

This version has been updated for python 3 from the original [matonis/page_brute](https://github.com/matonis/page_brute).


***This tool can be used to:***
 * Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.
 * Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.
 * Identify potential attacker activities based on popular command syntaxes used during internal propagations.
 * Identify evidence of active malware infections based on YARA signatures for known malware.
 * Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.

## Requires (installed by default):
 * yara-python
 * default_signatures.yar

## How does it work?
1. Given block size, page-brute reads in pagefile in fixed-sized blocks (default, 4096 bytes)
2. For each block, page_brute decides if the block is null - if null, the block is skipped.
3. If block is not null, the block is applied against compiled yara signatures (defined in -r/--rules argument).
  * If -r/--rules not provided, page-brute will read from the default ruleset: default_signatures.yar
  * Custom rules stored in a folder can also be provided as an argument to -r/--rules (must end in .yar)
4. If a block matches a YARA signature, the raw block will be stored in the corresponding output directory.
  * -o/--scanname defines output folder that raw blocks will be saved.
  * If no output is specified, a default folder is created in pwd: PAGE_BRUTE-YYYY-MM-DD-HH:MM:SS-RESULTS
5. Blocks are labeled by their logical page ID beginning at 0.
  * To determine offset, multiply pageID by the page size.

***NOTE:*** if a page file matches against multiple signatures, the corresponding page file will be copied to each rule directory.

## How do I write signatures?
YARA is a powerful engine that allows you to match groups of strings,binary sequences,and regular expressions with user-defined boolean conditions against pretty much anything.

To learn more about writing YARA rules, please see the yara home page: https://virustotal.github.io/yara/

## Current Signatures:
  * FTP
  * HTTP requests/responses
  * IRC
  * Administrative/Hidden Share Abuse
  * Remote system syntaxes
  * HTML
  * Javascript
  * CMD Shell (this might suck)
  * SMTP Message Headers

## Usage:
From the help page:
```
usage: page-brute [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]
                          [-r RULEFILE]

Checks pages in pagefiles for YARA-based rule matches. Useful to identify
forensic artifacts within Windows-based page files and characterize blocks
based on regular expressions.

optional arguments:
  -h, --help            show this help message and exit
  -r RULEFILE, --rules RULEFILE
                        File/directory containing YARA signatures (must end
                        with .yar)

  -f FILE, --file FILE  Pagefile or any chunk/block-based binary file
  -p SIZE, --size SIZE  Size of chunk/block in bytes (Default 4096)
  -o SCANNAME, --scanname SCANNAME
                        Descriptor of the scan session - used for output
                        directory
  -i, --invert          Given scan options, match all blocks that DO NOT match
                        a ruleset
```
###In Action:
```
root@system:~/Desktop/page/page-brute# page-brute --file=pagefile.sys
[+] - page-brute processing file: pagefile.sys
[+] - Ruleset Compilation Successful.
[+] - page-brute running with the following options:
	[-] - FILE: pagefile.sys
	[-] - PAGE_SIZE: 4096
	[-] - RULES TYPE: DEFAULT
	[-] - RULE LOCATION: default_signatures.yar
	[-] - INVERSION SCAN: False
	[-] - WORKING DIR: PAGE_BRUTE-2013-10-27-01:09:33-RESULTS
	=================

        [!] FLAGGED BLOCK 56: cmdshell
        [!] FLAGGED BLOCK 87: cmdshell
        [!] FLAGGED BLOCK 1222: webartifact_html
        [!] FLAGGED BLOCK 1454: webartifact_html
        [!] FLAGGED BLOCK 1782: webartifact_html
        [!] FLAGGED BLOCK 2200: webartifact_html
        [!] FLAGGED BLOCK 3781: webartifact_html
        
root@system:~/Desktop/page/page_brute# ls -lR PAGE_BRUTE-2013-10-27-01\:09\:33-RESULTS/
PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/:
total 8
drwxr-xr-x 2 root root 4096 Oct 27 01:09 cmdshell
drwxr-xr-x 2 root root 4096 Oct 27 01:09 webartifact_html

PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/cmdshell:
total 8
-rw-r--r-- 1 root root 4096 Oct 27 01:09 118.page
-rw-r--r-- 1 root root 4096 Oct 27 01:09 77.page

PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/webartifact_html:
total 20
-rw-r--r-- 1 root root 4096 Oct 27 01:09 1330.page
-rw-r--r-- 1 root root 4096 Oct 27 01:09 1445.page

root@system:~/Desktop/page/page_brute/PAGE_BRUTE-2013-10-27-01:20:28-RESULTS/webartifact_html# xxd 24606.page 
0000000: 613e 3c2f 7464 3e0d 0a20 2020 2020 2020  a></td>..       
0000010: 2020 203c 2f74 723e 0d0a 0d0a 2020 2020     </tr>....    
0000020: 2020 2020 2020 3c74 7220 6964 3d22 446f        <tr id="Do
0000030: 4f76 6572 7269 6465 2220 7374 796c 653d  Override" style=
0000040: 2264 6973 706c 6179 3d27 6e6f 6e65 2722  "display='none'"
0000050: 3e20 0d0a 2020 2020 2020 2020 2020 2020  > ..            
0000060: 3c74 643e 3c69 6d67 2069 643d 226e 6f74  <td><img id="not
0000070: 5265 636f 6d6d 656e 6465 6449 636f 6e22  RecommendedIcon"
0000080: 2073 7263 3d22 7265 645f 7368 6965 6c64   src="red_shield
0000090: 2e70 6e67 2220 626f 7264 6572 3d22 3022  .png" border="0"
00000a0: 2061 6c74 3d22 4e6f 7420 7265 636f 6d6d   alt="Not recomm
00000b0: 656e 6465 6420 6963 6f6e 2220 636c 6173  ended icon" clas
00000c0: 733d 2261 6374 696f 6e49 636f 6e22 3e3c  s="actionIcon"><
00000d0: 2f74 643e 0d0a 2020 2020 2020 2020 2020  /td>..          
00000e0: 2020 3c74 6420 7374 796c 653d 2270 6164    <td style="pad
00000f0: 6469 6e67 2d62 6f74 746f 6d3a 202e 3165  ding-bottom: .1e


```

            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "page-brute",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.9",
    "maintainer_email": "\"Corey Forman (digitalsleuth)\" <github@digitalsleuth.ca>",
    "keywords": "digital forensics, dfir, pagefile, brute",
    "author": null,
    "author_email": "\"Corey Forman (digitalsleuth) and Mike Matonis (matonis)\" <github@digitalsleuth.ca>",
    "download_url": "https://files.pythonhosted.org/packages/4b/21/5f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393/page_brute-1.0.0.tar.gz",
    "platform": null,
    "description": "page-brute\n==========\n\n**page-brute** is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. \n\nThis version has been updated for python 3 from the original [matonis/page_brute](https://github.com/matonis/page_brute).\n\n\n***This tool can be used to:***\n * Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.\n * Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.\n * Identify potential attacker activities based on popular command syntaxes used during internal propagations.\n * Identify evidence of active malware infections based on YARA signatures for known malware.\n * Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.\n\n## Requires (installed by default):\n * yara-python\n * default_signatures.yar\n\n## How does it work?\n1. Given block size, page-brute reads in pagefile in fixed-sized blocks (default, 4096 bytes)\n2. For each block, page_brute decides if the block is null - if null, the block is skipped.\n3. If block is not null, the block is applied against compiled yara signatures (defined in -r/--rules argument).\n  * If -r/--rules not provided, page-brute will read from the default ruleset: default_signatures.yar\n  * Custom rules stored in a folder can also be provided as an argument to -r/--rules (must end in .yar)\n4. If a block matches a YARA signature, the raw block will be stored in the corresponding output directory.\n  * -o/--scanname defines output folder that raw blocks will be saved.\n  * If no output is specified, a default folder is created in pwd: PAGE_BRUTE-YYYY-MM-DD-HH:MM:SS-RESULTS\n5. Blocks are labeled by their logical page ID beginning at 0.\n  * To determine offset, multiply pageID by the page size.\n\n***NOTE:*** if a page file matches against multiple signatures, the corresponding page file will be copied to each rule directory.\n\n## How do I write signatures?\nYARA is a powerful engine that allows you to match groups of strings,binary sequences,and regular expressions with user-defined boolean conditions against pretty much anything.\n\nTo learn more about writing YARA rules, please see the yara home page: https://virustotal.github.io/yara/\n\n## Current Signatures:\n  * FTP\n  * HTTP requests/responses\n  * IRC\n  * Administrative/Hidden Share Abuse\n  * Remote system syntaxes\n  * HTML\n  * Javascript\n  * CMD Shell (this might suck)\n  * SMTP Message Headers\n\n## Usage:\nFrom the help page:\n```\nusage: page-brute [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]\n                          [-r RULEFILE]\n\nChecks pages in pagefiles for YARA-based rule matches. Useful to identify\nforensic artifacts within Windows-based page files and characterize blocks\nbased on regular expressions.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -r RULEFILE, --rules RULEFILE\n                        File/directory containing YARA signatures (must end\n                        with .yar)\n\n  -f FILE, --file FILE  Pagefile or any chunk/block-based binary file\n  -p SIZE, --size SIZE  Size of chunk/block in bytes (Default 4096)\n  -o SCANNAME, --scanname SCANNAME\n                        Descriptor of the scan session - used for output\n                        directory\n  -i, --invert          Given scan options, match all blocks that DO NOT match\n                        a ruleset\n```\n###In Action:\n```\nroot@system:~/Desktop/page/page-brute# page-brute --file=pagefile.sys\n[+] - page-brute processing file: pagefile.sys\n[+] - Ruleset Compilation Successful.\n[+] - page-brute running with the following options:\n\t[-] - FILE: pagefile.sys\n\t[-] - PAGE_SIZE: 4096\n\t[-] - RULES TYPE: DEFAULT\n\t[-] - RULE LOCATION: default_signatures.yar\n\t[-] - INVERSION SCAN: False\n\t[-] - WORKING DIR: PAGE_BRUTE-2013-10-27-01:09:33-RESULTS\n\t=================\n\n        [!] FLAGGED BLOCK 56: cmdshell\n        [!] FLAGGED BLOCK 87: cmdshell\n        [!] FLAGGED BLOCK 1222: webartifact_html\n        [!] FLAGGED BLOCK 1454: webartifact_html\n        [!] FLAGGED BLOCK 1782: webartifact_html\n        [!] FLAGGED BLOCK 2200: webartifact_html\n        [!] FLAGGED BLOCK 3781: webartifact_html\n        \nroot@system:~/Desktop/page/page_brute# ls -lR PAGE_BRUTE-2013-10-27-01\\:09\\:33-RESULTS/\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/:\ntotal 8\ndrwxr-xr-x 2 root root 4096 Oct 27 01:09 cmdshell\ndrwxr-xr-x 2 root root 4096 Oct 27 01:09 webartifact_html\n\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/cmdshell:\ntotal 8\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 118.page\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 77.page\n\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/webartifact_html:\ntotal 20\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 1330.page\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 1445.page\n\nroot@system:~/Desktop/page/page_brute/PAGE_BRUTE-2013-10-27-01:20:28-RESULTS/webartifact_html# xxd 24606.page \n0000000: 613e 3c2f 7464 3e0d 0a20 2020 2020 2020  a></td>..       \n0000010: 2020 203c 2f74 723e 0d0a 0d0a 2020 2020     </tr>....    \n0000020: 2020 2020 2020 3c74 7220 6964 3d22 446f        <tr id=\"Do\n0000030: 4f76 6572 7269 6465 2220 7374 796c 653d  Override\" style=\n0000040: 2264 6973 706c 6179 3d27 6e6f 6e65 2722  \"display='none'\"\n0000050: 3e20 0d0a 2020 2020 2020 2020 2020 2020  > ..            \n0000060: 3c74 643e 3c69 6d67 2069 643d 226e 6f74  <td><img id=\"not\n0000070: 5265 636f 6d6d 656e 6465 6449 636f 6e22  RecommendedIcon\"\n0000080: 2073 7263 3d22 7265 645f 7368 6965 6c64   src=\"red_shield\n0000090: 2e70 6e67 2220 626f 7264 6572 3d22 3022  .png\" border=\"0\"\n00000a0: 2061 6c74 3d22 4e6f 7420 7265 636f 6d6d   alt=\"Not recomm\n00000b0: 656e 6465 6420 6963 6f6e 2220 636c 6173  ended icon\" clas\n00000c0: 733d 2261 6374 696f 6e49 636f 6e22 3e3c  s=\"actionIcon\"><\n00000d0: 2f74 643e 0d0a 2020 2020 2020 2020 2020  /td>..          \n00000e0: 2020 3c74 6420 7374 796c 653d 2270 6164    <td style=\"pad\n00000f0: 6469 6e67 2d62 6f74 746f 6d3a 202e 3165  ding-bottom: .1e\n\n\n```\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "Python 3 Windows Pagefile analysis tool",
    "version": "1.0.0",
    "project_urls": {
        "Homepage": "https://github.com/digitalsleuth/page_brute"
    },
    "split_keywords": [
        "digital forensics",
        " dfir",
        " pagefile",
        " brute"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "0c35294333a006d7a33ee18ccb6d8008ccbe4efc124f9272316c5720b475e4b2",
                "md5": "3fee06f438a5db12b1a9c8f87e754d3a",
                "sha256": "585cb9f21349c7a87cd1e3dcb2911f917a1a198e1c9d09bb78e79b1ab44de16e"
            },
            "downloads": -1,
            "filename": "page_brute-1.0.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "3fee06f438a5db12b1a9c8f87e754d3a",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.9",
            "size": 10449,
            "upload_time": "2025-02-02T18:00:27",
            "upload_time_iso_8601": "2025-02-02T18:00:27.190567Z",
            "url": "https://files.pythonhosted.org/packages/0c/35/294333a006d7a33ee18ccb6d8008ccbe4efc124f9272316c5720b475e4b2/page_brute-1.0.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "4b215f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393",
                "md5": "f061d9106df58f4c16812c6100e2a59f",
                "sha256": "85ec3a54e80aabbcbec7f01ce8d495abfac95346f28f0ff3d97944130a8fcd51"
            },
            "downloads": -1,
            "filename": "page_brute-1.0.0.tar.gz",
            "has_sig": false,
            "md5_digest": "f061d9106df58f4c16812c6100e2a59f",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.9",
            "size": 12072,
            "upload_time": "2025-02-02T18:00:28",
            "upload_time_iso_8601": "2025-02-02T18:00:28.842784Z",
            "url": "https://files.pythonhosted.org/packages/4b/21/5f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393/page_brute-1.0.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2025-02-02 18:00:28",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "digitalsleuth",
    "github_project": "page_brute",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "lcname": "page-brute"
}
        
Elapsed time: 0.68712s