page-brute
==========
**page-brute** is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys.
This version has been updated for python 3 from the original [matonis/page_brute](https://github.com/matonis/page_brute).
***This tool can be used to:***
* Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.
* Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.
* Identify potential attacker activities based on popular command syntaxes used during internal propagations.
* Identify evidence of active malware infections based on YARA signatures for known malware.
* Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.
## Requires (installed by default):
* yara-python
* default_signatures.yar
## How does it work?
1. Given block size, page-brute reads in pagefile in fixed-sized blocks (default, 4096 bytes)
2. For each block, page_brute decides if the block is null - if null, the block is skipped.
3. If block is not null, the block is applied against compiled yara signatures (defined in -r/--rules argument).
* If -r/--rules not provided, page-brute will read from the default ruleset: default_signatures.yar
* Custom rules stored in a folder can also be provided as an argument to -r/--rules (must end in .yar)
4. If a block matches a YARA signature, the raw block will be stored in the corresponding output directory.
* -o/--scanname defines output folder that raw blocks will be saved.
* If no output is specified, a default folder is created in pwd: PAGE_BRUTE-YYYY-MM-DD-HH:MM:SS-RESULTS
5. Blocks are labeled by their logical page ID beginning at 0.
* To determine offset, multiply pageID by the page size.
***NOTE:*** if a page file matches against multiple signatures, the corresponding page file will be copied to each rule directory.
## How do I write signatures?
YARA is a powerful engine that allows you to match groups of strings,binary sequences,and regular expressions with user-defined boolean conditions against pretty much anything.
To learn more about writing YARA rules, please see the yara home page: https://virustotal.github.io/yara/
## Current Signatures:
* FTP
* HTTP requests/responses
* IRC
* Administrative/Hidden Share Abuse
* Remote system syntaxes
* HTML
* Javascript
* CMD Shell (this might suck)
* SMTP Message Headers
## Usage:
From the help page:
```
usage: page-brute [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]
[-r RULEFILE]
Checks pages in pagefiles for YARA-based rule matches. Useful to identify
forensic artifacts within Windows-based page files and characterize blocks
based on regular expressions.
optional arguments:
-h, --help show this help message and exit
-r RULEFILE, --rules RULEFILE
File/directory containing YARA signatures (must end
with .yar)
-f FILE, --file FILE Pagefile or any chunk/block-based binary file
-p SIZE, --size SIZE Size of chunk/block in bytes (Default 4096)
-o SCANNAME, --scanname SCANNAME
Descriptor of the scan session - used for output
directory
-i, --invert Given scan options, match all blocks that DO NOT match
a ruleset
```
###In Action:
```
root@system:~/Desktop/page/page-brute# page-brute --file=pagefile.sys
[+] - page-brute processing file: pagefile.sys
[+] - Ruleset Compilation Successful.
[+] - page-brute running with the following options:
[-] - FILE: pagefile.sys
[-] - PAGE_SIZE: 4096
[-] - RULES TYPE: DEFAULT
[-] - RULE LOCATION: default_signatures.yar
[-] - INVERSION SCAN: False
[-] - WORKING DIR: PAGE_BRUTE-2013-10-27-01:09:33-RESULTS
=================
[!] FLAGGED BLOCK 56: cmdshell
[!] FLAGGED BLOCK 87: cmdshell
[!] FLAGGED BLOCK 1222: webartifact_html
[!] FLAGGED BLOCK 1454: webartifact_html
[!] FLAGGED BLOCK 1782: webartifact_html
[!] FLAGGED BLOCK 2200: webartifact_html
[!] FLAGGED BLOCK 3781: webartifact_html
root@system:~/Desktop/page/page_brute# ls -lR PAGE_BRUTE-2013-10-27-01\:09\:33-RESULTS/
PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/:
total 8
drwxr-xr-x 2 root root 4096 Oct 27 01:09 cmdshell
drwxr-xr-x 2 root root 4096 Oct 27 01:09 webartifact_html
PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/cmdshell:
total 8
-rw-r--r-- 1 root root 4096 Oct 27 01:09 118.page
-rw-r--r-- 1 root root 4096 Oct 27 01:09 77.page
PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/webartifact_html:
total 20
-rw-r--r-- 1 root root 4096 Oct 27 01:09 1330.page
-rw-r--r-- 1 root root 4096 Oct 27 01:09 1445.page
root@system:~/Desktop/page/page_brute/PAGE_BRUTE-2013-10-27-01:20:28-RESULTS/webartifact_html# xxd 24606.page
0000000: 613e 3c2f 7464 3e0d 0a20 2020 2020 2020 a></td>..
0000010: 2020 203c 2f74 723e 0d0a 0d0a 2020 2020 </tr>....
0000020: 2020 2020 2020 3c74 7220 6964 3d22 446f <tr id="Do
0000030: 4f76 6572 7269 6465 2220 7374 796c 653d Override" style=
0000040: 2264 6973 706c 6179 3d27 6e6f 6e65 2722 "display='none'"
0000050: 3e20 0d0a 2020 2020 2020 2020 2020 2020 > ..
0000060: 3c74 643e 3c69 6d67 2069 643d 226e 6f74 <td><img id="not
0000070: 5265 636f 6d6d 656e 6465 6449 636f 6e22 RecommendedIcon"
0000080: 2073 7263 3d22 7265 645f 7368 6965 6c64 src="red_shield
0000090: 2e70 6e67 2220 626f 7264 6572 3d22 3022 .png" border="0"
00000a0: 2061 6c74 3d22 4e6f 7420 7265 636f 6d6d alt="Not recomm
00000b0: 656e 6465 6420 6963 6f6e 2220 636c 6173 ended icon" clas
00000c0: 733d 2261 6374 696f 6e49 636f 6e22 3e3c s="actionIcon"><
00000d0: 2f74 643e 0d0a 2020 2020 2020 2020 2020 /td>..
00000e0: 2020 3c74 6420 7374 796c 653d 2270 6164 <td style="pad
00000f0: 6469 6e67 2d62 6f74 746f 6d3a 202e 3165 ding-bottom: .1e
```
Raw data
{
"_id": null,
"home_page": null,
"name": "page-brute",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "\"Corey Forman (digitalsleuth)\" <github@digitalsleuth.ca>",
"keywords": "digital forensics, dfir, pagefile, brute",
"author": null,
"author_email": "\"Corey Forman (digitalsleuth) and Mike Matonis (matonis)\" <github@digitalsleuth.ca>",
"download_url": "https://files.pythonhosted.org/packages/4b/21/5f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393/page_brute-1.0.0.tar.gz",
"platform": null,
"description": "page-brute\n==========\n\n**page-brute** is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. \n\nThis version has been updated for python 3 from the original [matonis/page_brute](https://github.com/matonis/page_brute).\n\n\n***This tool can be used to:***\n * Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.\n * Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.\n * Identify potential attacker activities based on popular command syntaxes used during internal propagations.\n * Identify evidence of active malware infections based on YARA signatures for known malware.\n * Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.\n\n## Requires (installed by default):\n * yara-python\n * default_signatures.yar\n\n## How does it work?\n1. Given block size, page-brute reads in pagefile in fixed-sized blocks (default, 4096 bytes)\n2. For each block, page_brute decides if the block is null - if null, the block is skipped.\n3. If block is not null, the block is applied against compiled yara signatures (defined in -r/--rules argument).\n * If -r/--rules not provided, page-brute will read from the default ruleset: default_signatures.yar\n * Custom rules stored in a folder can also be provided as an argument to -r/--rules (must end in .yar)\n4. If a block matches a YARA signature, the raw block will be stored in the corresponding output directory.\n * -o/--scanname defines output folder that raw blocks will be saved.\n * If no output is specified, a default folder is created in pwd: PAGE_BRUTE-YYYY-MM-DD-HH:MM:SS-RESULTS\n5. Blocks are labeled by their logical page ID beginning at 0.\n * To determine offset, multiply pageID by the page size.\n\n***NOTE:*** if a page file matches against multiple signatures, the corresponding page file will be copied to each rule directory.\n\n## How do I write signatures?\nYARA is a powerful engine that allows you to match groups of strings,binary sequences,and regular expressions with user-defined boolean conditions against pretty much anything.\n\nTo learn more about writing YARA rules, please see the yara home page: https://virustotal.github.io/yara/\n\n## Current Signatures:\n * FTP\n * HTTP requests/responses\n * IRC\n * Administrative/Hidden Share Abuse\n * Remote system syntaxes\n * HTML\n * Javascript\n * CMD Shell (this might suck)\n * SMTP Message Headers\n\n## Usage:\nFrom the help page:\n```\nusage: page-brute [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]\n [-r RULEFILE]\n\nChecks pages in pagefiles for YARA-based rule matches. Useful to identify\nforensic artifacts within Windows-based page files and characterize blocks\nbased on regular expressions.\n\noptional arguments:\n -h, --help show this help message and exit\n -r RULEFILE, --rules RULEFILE\n File/directory containing YARA signatures (must end\n with .yar)\n\n -f FILE, --file FILE Pagefile or any chunk/block-based binary file\n -p SIZE, --size SIZE Size of chunk/block in bytes (Default 4096)\n -o SCANNAME, --scanname SCANNAME\n Descriptor of the scan session - used for output\n directory\n -i, --invert Given scan options, match all blocks that DO NOT match\n a ruleset\n```\n###In Action:\n```\nroot@system:~/Desktop/page/page-brute# page-brute --file=pagefile.sys\n[+] - page-brute processing file: pagefile.sys\n[+] - Ruleset Compilation Successful.\n[+] - page-brute running with the following options:\n\t[-] - FILE: pagefile.sys\n\t[-] - PAGE_SIZE: 4096\n\t[-] - RULES TYPE: DEFAULT\n\t[-] - RULE LOCATION: default_signatures.yar\n\t[-] - INVERSION SCAN: False\n\t[-] - WORKING DIR: PAGE_BRUTE-2013-10-27-01:09:33-RESULTS\n\t=================\n\n [!] FLAGGED BLOCK 56: cmdshell\n [!] FLAGGED BLOCK 87: cmdshell\n [!] FLAGGED BLOCK 1222: webartifact_html\n [!] FLAGGED BLOCK 1454: webartifact_html\n [!] FLAGGED BLOCK 1782: webartifact_html\n [!] FLAGGED BLOCK 2200: webartifact_html\n [!] FLAGGED BLOCK 3781: webartifact_html\n \nroot@system:~/Desktop/page/page_brute# ls -lR PAGE_BRUTE-2013-10-27-01\\:09\\:33-RESULTS/\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/:\ntotal 8\ndrwxr-xr-x 2 root root 4096 Oct 27 01:09 cmdshell\ndrwxr-xr-x 2 root root 4096 Oct 27 01:09 webartifact_html\n\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/cmdshell:\ntotal 8\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 118.page\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 77.page\n\nPAGE_BRUTE-2013-10-27-01:09:33-RESULTS/webartifact_html:\ntotal 20\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 1330.page\n-rw-r--r-- 1 root root 4096 Oct 27 01:09 1445.page\n\nroot@system:~/Desktop/page/page_brute/PAGE_BRUTE-2013-10-27-01:20:28-RESULTS/webartifact_html# xxd 24606.page \n0000000: 613e 3c2f 7464 3e0d 0a20 2020 2020 2020 a></td>.. \n0000010: 2020 203c 2f74 723e 0d0a 0d0a 2020 2020 </tr>.... \n0000020: 2020 2020 2020 3c74 7220 6964 3d22 446f <tr id=\"Do\n0000030: 4f76 6572 7269 6465 2220 7374 796c 653d Override\" style=\n0000040: 2264 6973 706c 6179 3d27 6e6f 6e65 2722 \"display='none'\"\n0000050: 3e20 0d0a 2020 2020 2020 2020 2020 2020 > .. \n0000060: 3c74 643e 3c69 6d67 2069 643d 226e 6f74 <td><img id=\"not\n0000070: 5265 636f 6d6d 656e 6465 6449 636f 6e22 RecommendedIcon\"\n0000080: 2073 7263 3d22 7265 645f 7368 6965 6c64 src=\"red_shield\n0000090: 2e70 6e67 2220 626f 7264 6572 3d22 3022 .png\" border=\"0\"\n00000a0: 2061 6c74 3d22 4e6f 7420 7265 636f 6d6d alt=\"Not recomm\n00000b0: 656e 6465 6420 6963 6f6e 2220 636c 6173 ended icon\" clas\n00000c0: 733d 2261 6374 696f 6e49 636f 6e22 3e3c s=\"actionIcon\"><\n00000d0: 2f74 643e 0d0a 2020 2020 2020 2020 2020 /td>.. \n00000e0: 2020 3c74 6420 7374 796c 653d 2270 6164 <td style=\"pad\n00000f0: 6469 6e67 2d62 6f74 746f 6d3a 202e 3165 ding-bottom: .1e\n\n\n```\n",
"bugtrack_url": null,
"license": null,
"summary": "Python 3 Windows Pagefile analysis tool",
"version": "1.0.0",
"project_urls": {
"Homepage": "https://github.com/digitalsleuth/page_brute"
},
"split_keywords": [
"digital forensics",
" dfir",
" pagefile",
" brute"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0c35294333a006d7a33ee18ccb6d8008ccbe4efc124f9272316c5720b475e4b2",
"md5": "3fee06f438a5db12b1a9c8f87e754d3a",
"sha256": "585cb9f21349c7a87cd1e3dcb2911f917a1a198e1c9d09bb78e79b1ab44de16e"
},
"downloads": -1,
"filename": "page_brute-1.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "3fee06f438a5db12b1a9c8f87e754d3a",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 10449,
"upload_time": "2025-02-02T18:00:27",
"upload_time_iso_8601": "2025-02-02T18:00:27.190567Z",
"url": "https://files.pythonhosted.org/packages/0c/35/294333a006d7a33ee18ccb6d8008ccbe4efc124f9272316c5720b475e4b2/page_brute-1.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "4b215f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393",
"md5": "f061d9106df58f4c16812c6100e2a59f",
"sha256": "85ec3a54e80aabbcbec7f01ce8d495abfac95346f28f0ff3d97944130a8fcd51"
},
"downloads": -1,
"filename": "page_brute-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "f061d9106df58f4c16812c6100e2a59f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 12072,
"upload_time": "2025-02-02T18:00:28",
"upload_time_iso_8601": "2025-02-02T18:00:28.842784Z",
"url": "https://files.pythonhosted.org/packages/4b/21/5f4efbf6ebc13a51f37fe992fb2982bbca46074f659f41946d0c3d464393/page_brute-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-02-02 18:00:28",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "digitalsleuth",
"github_project": "page_brute",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "page-brute"
}