exploit - mona.py - the manual

最新推荐文章于 2024-04-14 10:29:00 发布
最新推荐文章于 2024-04-14 10:29:00 发布
阅读量3.5k 收藏
点赞数
分类专栏: Vulnerability Analysis exploit
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/nixawk/article/details/43967147
版权

mona.py

Install mona.py

Put mona.py into 

C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

Basic usage

Open Immunity Debugger. At the bottom of the application you should see an input box (command bar), Enter !mona and press return.

Open the log window (ALT-L) and you should get a full page of information about mona (options and commands).

0BADF00D   [+] Command used:
0BADF00D   !mona
0BADF00D        'mona' - Exploit Development Swiss Army Knife - Immunity Debugger (32bit)
0BADF00D        Plugin version : 2.0 r554
0BADF00D        Written by Corelan - https://www.corelan.be
0BADF00D        Project page : https://github.com/corelan/mona

               .##.....##..#######..##....##....###........########..##....##
               .###...###.##.....##.###...##...##.##.......##.....##..##..##.
               .####.####.##.....##.####..##..##...##......##.....##...####..
               .##.###.##.##.....##.##.##.##.##.....##.....########.....##...
               .##.....##.##.....##.##..####.#########.....##...........##...
               .##.....##.##.....##.##...###.##.....##.###.##...........##...
               .##.....##..#######..##....##.##.....##.###.##...........##...


0BADF00D   Global options :
0BADF00D   ----------------
0BADF00D   You can use one or more of the following global options on any command that will perform
0BADF00D   a search in one or more modules, returning a list of pointers :
0BADF00D    -n                     : Skip modules that start with a null byte. If this is too broad, use
0BADF00D                             option -cm nonull instead
0BADF00D    -o                     : Ignore OS modules
0BADF00D    -p <nr>                : Stop search after <nr> pointers.
0BADF00D    -m <module,module,...> : only query the given modules. Be sure what you are doing !
0BADF00D                             You can specify multiple modules (comma separated)
0BADF00D                             Tip : you can use -m *  to include all modules. All other module criteria will be ignored
0BADF00D                             Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
0BADF00D                             blah or *blah* = contains blah
0BADF00D    -cm <crit,crit,...>    : Apply some additional criteria to the modules to query.
0BADF00D                             You can use one or more of the following criteria :
0BADF00D                             aslr,safeseh,rebase,nx,os
0BADF00D                             You can enable or disable a certain criterium by setting it to true or false
0BADF00D                             Example :  -cm aslr=true,safeseh=false
0BADF00D                             Suppose you want to search for p/p/r in aslr enabled modules, you could call
0BADF00D                             !mona seh -cm aslr
0BADF00D    -cp <crit,crit,...>    : Apply some criteria to the pointers to return
0BADF00D                             Available options are :
0BADF00D                             unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
0BADF00D                             Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
0BADF00D    -cpb '\x00\x01'        : Provide list with bad chars, applies to pointers
0BADF00D                             You can use .. to indicate a range of bytes (in between 2 bad chars)
0BADF00D    -x <access>            : Specify desired access level of the returning pointers. If not specified,
0BADF00D                             only executable pointers will be return.
0BADF00D                             Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *

           Usage :
           -------

0BADF00D    !mona <command> <parameter>

           Available commands and parameters :

           ? / eval             | Evaluate an expression
           assemble / asm       | Convert instructions to opcode. Separate multiple instructions with #
           bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers
           breakfunc / bf       | Set a breakpoint on an exported function in on or more dll's
           breakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address
           bytearray / ba       | Creates a byte array, can be used to find bad characters
           calltrace / ct       | Log all CALL instructions
           compare / cmp        | Compare contents of a binary file with a copy in memory
           config / conf        | Manage configuration file (mona.ini)
           copy / cp            | Copy bytes from one location to another
           deferbp / bu         | Set a deferred breakpoint
           dump                 | Dump the specified range of memory to a file
           egghunter / egg      | Create egghunter code
           encode / enc         | Encode a series of bytes
           filecompare / fc     | Compares 2 or more files created by mona using the same output commands
           find / f             | Find bytes in memory
           findmsp / findmsf    | Find cyclic pattern in memory
           findwild / fw        | Find instructions in memory, accepts wildcards
           fwptr / fwp          | Find Writeable Pointers that get called
           geteat / eat         | Show EAT of selected module(s)
           getiat / iat         | Show IAT of selected module(s)
           getpc                | Show getpc routines for specific registers
           gflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag
           header               | Read a binary file and convert content to a nice 'header' string
           heap                 | Show heap related information
           help                 | show help
           hidedebug / hd       | Attempt to hide the debugger
           info                 | Show information about a given address in the context of the loaded application
           infodump / if        | Dumps specific parts of memory to file
           jmp / j              | Find pointers that will allow you to jump to a register
           jop                  | Finds gadgets that can be used in a JOP exploit
           kb / kb              | Manage Knowledgebase data
           modules / mod        | Show all loaded modules and their properties
           noaslr               | Show modules that are not aslr or rebased
           nosafeseh            | Show modules that are not safeseh protected
           nosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased
           offset               | Calculate the number of bytes between two addresses
           pageacl / pacl       | Show ACL associated with mapped pages
           pattern_create / pc  | Create a cyclic pattern of a given size
           pattern_offset / po  | Find location of 4 bytes in a cyclic pattern
           peb / peb            | Show location of the PEB
           rop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
           ropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
           seh                  | Find pointers to assist with SEH overwrite exploits
           sehchain / exchain   | Show the current SEH chain
           skeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
           stackpivot           | Finds stackpivots (move stackpointer to controlled area)
           stacks               | Show all stacks for all threads in the running application
           string / str         | Read or write a string from/to memory
           suggest              | Suggest an exploit buffer structure
           teb / teb            | Show TEB related information
           unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
           update / up          | Update mona to the latest version
0BADF00D
0BADF00D   Want more info about a given command ?  Run !mona help <command>
0BADF00D

Keeping mona.py up-to-date

Before using mona, I strongly recommend making sure you are running the latest version. If you are using the stable release, you won’t see updates that often (new version releases are often announced on twitter or Google+).

If you are using the trunk release of mona.py, you might want to update on a regular (daily) basis.

Updating is very simple. Make sure your device has access to redmine.corelan.be (https or http) and run

!mona up

By default, a connection is made to https://redmine.corelan.be. If, for whatever reason, you are unable to use https, you can use the -http switch to force the use of http:

!mona up -http

Starting from mona.py v1.1 you can switch between stable and trunk releases, by using the -t option.

So, if you are running trunk and you want to change to release, run

!mona up -t release

if you want to switch to the latest trunk version, run

!mona up -t trunk

Commands

assemble / asm

The “assemble” command allows you to convert one or more assembly instructions into opcode.

0BADF00D   Usage of command 'asm' :
0BADF00D   -------------------------
           Convert instructions to opcode. Separate multiple instructions with #.
           Mandatory argument : -s <instructions> : the sequence of instructions to assemble to opcode

For Example, we can get “jmp esp” opcode.

!mona assemble -s "jmp esp"
!mona asm -s "jmp esp"

0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona assemble -s "jmp esp"
0BADF00D   Opcode results :
0BADF00D   ----------------
0BADF00D    jmp esp = \xff\xe4
0BADF00D    Full opcode : \xff\xe4
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.010000

bpseh / sehbp

Set a breakpoint on all current SEH Handler function pointers

!mona bpseh
!mona sehbp

breakfunc / bf

Set a breakpoint on an exported function in or more dll’s.

0BADF00D   Usage of command 'breakfunc' :
0BADF00D   -------------------------------
           Set a breakpoint on exported or imported function(s) of the selected modules.
           Mandatory argument :
               -t <type> : type of breakpoint action. Can be 'add', 'del' or 'list'
           Optional arguments :
               -f <function type> : set to 'import' or 'export' to read IAT or EAT. Default : export
               -s <func,func,func> : specify function names.
                                     If you want a bp on all functions, set -s to *
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

we can get all export or import functions, for example: 

!mona breakfunc -t list -f export -s *
!mona breakfunc -t list -f import -s *

we can do the same things with the commands:

!mona geteat
!mona getiat

breakpoint / bp

Set a memory breakpoint on read/write or execute of a given address.

0BADF00D   Usage of command 'breakpoint' :
0BADF00D   --------------------------------
           Set a breakpoint when a given address is read from, written to or executed
           Mandatory arguments :
               -a <address> : the address where to set the breakpoint
                          (absolute address / register / modulename!functionname)
               -t <type> : type of the breakpoint, can be READ, WRITE or SFX
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

set a READ breakpoint for demo.

0BADF00D   !mona breakpoint -a 0x00437869 -t READ
0BADF00D   Breakpoint set on READ of 0x00437869
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.010000
00437869   [02:39:59] Memory breakpoint when executing [00437869]

What’s the different between READ breakpoint and WRITE or SFX breakpoint ?

bytearray / ba

The “bytearray” option was implemented to assist exploit developers when finding bad chars. It will produce an array with all bytes between \x00 and \xff (except for the ones that you excluded), and writes the array to 2 files.

  • a text file containging the array in ascii format (bytearray.txt)
  • a binary file containging the same array (bytearray.bin)

Optional arguments:

  • -cpb : exclude these bytes from the array.
  • -r: show the array in reverse (starting at \xff, end at \x00)

For example:

0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona bytearray
0BADF00D   Generating table, excluding 0 bad chars...
0BADF00D   Dumping table to file
0BADF00D   [+] Preparing output file 'bytearray.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\bytearray.txt
           "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
           "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
           "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
           "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
           "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
           "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
           "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
           "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

0BADF00D
0BADF00D   Done, wrote 256 bytes to file C:\logs\RM2MP3Converter\bytearray.txt
0BADF00D   Binary output saved in C:\logs\RM2MP3Converter\bytearray.bin
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.030000

We believe finding bad chars is a mandatory step in the exploit writing process. Over the last few weeks and months, alot of people have asked use how to perform this task, so here are the steps to finding bad chars.

Let’s say your exploit structure (classic saved return pointer overwrite) looks like this:

[ 280 bytes of junk ] [ EIP ] [ 500 bytes (shellcode) ]

We should try to make the process as reliable and smooth as possible, so we’ll have to make sure we’re not messing with the essential part of the payload, which is the part that should allow us to keep control over EIP.

We’ll keep the first 280 bytes and the 4 bytes (saved return pointer) intact. If we would change those and the first 280 bytes contain bad chars, then we might not even be able to control EIP anymore, making it very hard to debug and find bad chars.

We have a number of bytes available after overwriting saved return pointer. So that is the perfect location to put our array. It will make sure that we can make the application crash in a reliable way, allowing us to set a breakpoint on EIP and then compare the array of bytes in memory with the original array of bytes.

Before creating & using the byte array, you should ask yourself “what kind of bytes are very likely going to be breaking the payload or altering the behaviour of the application”. If, for example, the buffer overflow gets triggered because of a string copy function, it’s very likely that a null byte will break the payload. A carriage return/line feed (\x0a\x0d) are common bytes that would change the way the payload is read & processed by the application as well, so in case of a string based overflow, you’ll probably discover that those are bad chars too.

So let’s start with excluding those 3 bytes from the array. (Of course, this is all based on assumptions. If you want to be sure, don’t exclude anything from the array yet).

!mona bytearray -cpb '\x00\x0a\x0d'

Open “bytearray.txt” and copy the array. Open your exploit and paste the array after overwriting EIP (so instead of the 500 bytes, put the array).

Then set the necessary breakpoints (at the pointer you will use to control EIP with in this case) and trigger the crash. Your breakpoint should be hit, and the byte array (or a portion of it) should be in memory somewhere.

The process of finding the bad chars is very simple. We can use another mona feature to read the original byte array from the binary file that was created, and compare those bytes with the array that is in memory at crash time.

Mona will then read the binary file, takes the first 8 bytes from the file, locates all instances of those 8 bytes in memory, and compare each of the bytes of the array with the bytes in memory, listing the ones that were not altered, and listing the ones that were changed/corrupted.

!mona compare -f bytearray.bin

At this point, there are 2 things you should check in the output of this command :

  • Find the location (probably on the stack in this example) where EIP would jump to. If you are building an exploit for a saved return pointer overwrite, you will most likely find your payload at ESP. Look at ESP (or the location where your payload is) and jot down that address. Open compare.txt, look for that address and you will get the list of bytes that were corrupted. Corruption can result in 2 types of behaviour : either the byte gets changed (other bytes are still fine), or all bytes after the bad char are different. Either way, unless you know what you are doing, only write down the first byte that was changed and add that byte to the list of bad chars. Then repeat the entire process (create bytearray, paste array into exploit, trigger crash, compare). So, if you discovery that for example \x59 is a bad char too, simply run the bytearray command again :

    !mona bytearray -cpb ‘\x00\x0a\x0d’

    Repeat the entire process and do another compare. If the resulting array was found at the right location, unmodified, then you have determined all bad chars. If not, just find the next bad char, exclude it from the array and try again. The process might be time consuming, and there may even be better ways to do this, but this technique works just fine.

  • Look at other locations where your array was found. Maybe one of those locations have a non-corrupted copy of the array, providing you with an alternative location to place your shellcode without having to bother about bad chars. All you would need to do is write some jumpcode (or egghunter) to jump to that location.

View the video online here or blog here.

compare

We already discussed the basic functionality of “compare” in the documentation of previous command.

0BADF00D
0BADF00D   Usage of command 'compare' :
0BADF00D   -----------------------------
           Compares contents of a binary file with locations in memory.
           Mandatory argument :
               -f <filename> : full path to binary file
           Optional argument :
               -a <address> : the exact address of the bytes in memory (address or register).
                              If you don't specify an address, I will try to locate the bytes in memory
                              by looking at the first 8 bytes.
               -s : skip locations that belong to a module
               -unicode : perform unicode search. Note: input should *not* be unicode, it will be expanded automatically
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

You can use this command to find bad chars (as explained earlier), but you can also use it to see if your shellcode got corrupted in memory.

You could, for example, write tag+tag+shellcode (egghunter egg) to a binary file and use the compare command to find the eggs and show if they got corrupted or not. If some of them do, others don’t, you’ll know if and how you have to tweak the start location of the hunter, or just use a checksum routine.

calltrace

Log all CALL instructions

0BADF00D
0BADF00D   Usage of command 'calltrace' :
0BADF00D   -------------------------------
           Logs all CALL instructions
           Mandatory arguments :
               -m module : specify what module to search for CALL instructions (global option)  
           Optional arguments :
               -a <number> : number of arguments to show for each CALL
               -r : also trace RETN instructions (will slow down process!)
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

config / conf

Manage configuration file (mona.ini).

0BADF00D   Usage of command 'config' :
0BADF00D   ----------------------------
           Change config of mona.py
           Available options are : -get <parameter>, -set <parameter> <value> or -add <parameter> <value_to_add>
           Valid parameters are : workingfolder, excluded_modules, author
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

Set our current work directory as follow:

!mona config -set workingfolder C:\logs\%p

copy / cp

Copy bytes from one location to another.

0BADF00D   Usage of command 'copy' :
0BADF00D   --------------------------
           Copies bytes from one location to another.

           Arguments:
               -src <address>    : The source address
               -dst <address>    : The destination address
               -n <number>       : The number of bytes to copy
0BADF00D
0BADF00D

we can copy 0x10 bytes from 0x00446000 to 0x00446010.

!mona copy -src 0x00446000 -dst 0x00446010 -n 0x10

deferbp / bu

Set a memory breakpoint on read/write or execute of a given address.

0BADF00D
0BADF00D   Usage of command 'deferbp' :
0BADF00D   -----------------------------
           Set a deferred breakpoint
           Mandatory arguments :
               -a <target>,<target>,...
               target can be an address, a modulename.functionname or module.dll+offset (hex value)
               Warning, modulename.functionname is case sensitive !

0BADF00D

dump

Dump the specified range of memory to a file

0BADF00D
0BADF00D   Usage of command 'dump' :
0BADF00D   --------------------------
           Dump the specified memory range to a file. Either the end address or the size of
           buffer needs to be specified.
           Mandatory arguments :
               -s <address> : start address
               -f <filename> : the name of the file where to write the bytes
           Optional arguments:
               -n <size> : the number of bytes to copy (size of the buffer)
               -e <address> : the end address of the copy
0BADF00D

we can dump 1000 bytes from 0x00437854. 

!mona dump -s 0x00437854 -f C:\logs\RM2MP3Converter\dump.bin -n 1000

egghunter

Create egghunter code.

0BADF00D
0BADF00D   Usage of command 'egghunter' :
0BADF00D   -------------------------------
           Creates an egghunter routine
           Optional arguments :
               -t : tag (ex: w00t). Default value is w00t
               -c : enable checksum routine. Only works in conjunction with parameter -f
               -f <filename> : file containing the shellcode
               -startreg <reg> : start searching at the address pointed by this reg
               -wow64 : generate wow64 egghunter. Default is traditional 32bit egghunter
           DEP Bypass options :
               -depmethod <method> : method can be "virtualprotect", "copy" or "copy_size"
               -depreg <reg> : sets the register that contains a pointer to the API function to bypass DEP.
                               By default this register is set to ESI
               -depsize <value> : sets the size for the dep bypass routine
               -depdest <reg> : this register points to the location of the egghunter itself.
                                When bypassing DEP, the egghunter is already marked as executable.
                                So when using the copy or copy_size methods, the DEP bypass in the egghunter
                                would do a "copy 2 self".  In order to be able to do so, it needs a register
                                where it can copy the shellcode to.
                                If you leave this empty, the code will contain a GetPC routine.
0BADF00D
0BADF00D

If you don’t specify a file containing shellcode, it will simply produce a regular egghunter routine. If you specify a filename, you’ll have the ability to use option -c, which will insert a checksum routine for the shellcode in the file. The checksum routine will only work for that particular shellcode (or any other shellcode with the same size, producing the same checksum value :) )

Using the various -dep* parameters, you can tell the egghunter routine to create code that will bypass DEP on the found egg, before running it. You can find more information about this technique here.

encode / enc

Encode a series of bytes.

0BADF00D
0BADF00D   Usage of command 'enc' :
0BADF00D   -------------------------
           Encode a series of bytes
           Arguments:
               -t <type>         : Type of encoder to use.  Allowed value(s) are alphanum
               -s <bytes>        : The bytes to encode (or use -f instead)
               -f <path to file> : The full path to the binary file that contains the bytes to encode
0BADF00D

filecompare / fc

Compares 2 or more files created by mona using the same output commands.

0BADF00D   Usage of command 'filecompare' :
0BADF00D   ---------------------------------
           Compares 2 or more files created by mona using the same output commands
           Make sure to use files that are created with the same version of mona and
           contain the output of the same mona command.
           Mandatory argument : -f "file1,file2,...filen"
           Put all filenames between one set of double quotes, and separate files with comma's.
           You can specify a foldername as well with -f, all files in the root of that folder will be part of the compare.
           Output will be written to filecompare.txt and filecompare_not.txt (not matching pointers)
           Optional parameters :
               -contains "INSTRUCTION"  (will only list if instruction is found)
               -nostrict (will also list pointer is instructions don't match in all files)
               -range <number> : find overlapping ranges for all pointers + range.
                                 When using -range, the -contains and -nostrict options will be ignored
               -ptronly : only show matching pointers (slightly faster). Doesn't work when 'range' is used
0BADF00D

For example:

!mona filecompare -f "C:\logs\RM2MP3Converter\pattern.txt.old","C:\logs\RM2MP3Converter\pattern.txt.old2"

find

The “find” command has improved a lot since its initial implementation in pvefindaddr. It’s faster, but above all it’s more flexible and has a shiney new “recursive” search feature.

0BADF00D   Usage of command 'find' :
0BADF00D   --------------------------
           Find a sequence of bytes in memory.
           Mandatory argument : -s <pattern> : the sequence to search for. If you specified type 'file', then use -s to specify the file.
           This file needs to be a file created with mona.py, containing pointers at the begin of each line.
           Optional arguments:
               -type <type>    : Type of pattern to search for : bin,asc,ptr,instr,file
               -b <address> : base/bottom address of the search range
               -t <address> : top address of the search range
               -c : skip consecutive pointers but show length of the pattern instead
               -p2p : show pointers to pointers to the pattern (might take a while !)
                      this setting equals setting -level to 1
               -level <number> : do recursive (p2p) searches, specify number of levels deep
                                 if you want to look for pointers to pointers, set level to 1
               -offset <number> : subtract a value from a pointer at a certain level
               -offsetlevel <number> : level to subtract a value from a pointer
               -r <number> : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value.
                             This value indicates the number of bytes to step backwards for each search
               -unicode : used in conjunction with search type asc, this will convert the search pattern to unicode first
               -ptronly : Only show the pointers, skip showing info about the pointer (slightly faster)
0BADF00D

By default, “find” will look for all locations (accesslevel set to *). Furthermore, by default, it will search the entire memory space (including the memory space of modules that were excluded).

Example: Find all locations where the string “w00t” can be found:

!mona find -type asc -s "w00t"

Example: Find all executable locations that have a pointer to “jmp ecx”

!mona find -type instr -s "jmp ecx" -p2p

0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona find -type instr -s "jmp esp" -b 018F0000 -t 1DBD000

           ---------- Mona command started on 2015-02-26 19:26:29 (v2.0, rev 554) ----------
0BADF00D   [+] Processing arguments and criteria
0BADF00D       - Pointer access level : *
0BADF00D       - Treating search pattern as instr
0BADF00D   [+] Searching from 0x018f0000 to 0x01dbd000
0BADF00D   [+] Preparing output file 'find.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\find.txt
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   [+] Writing results to C:\logs\RM2MP3Converter\find.txt
0BADF00D       - Number of pointers of type '"jmp esp"' : 13
0BADF00D   [+] Results :
01AE023F     0x01ae023f (b+0x001f023f)  : "jmp esp" |  {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AFD3DB     0x01afd3db (b+0x0020d3db)  : "jmp esp" |  {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AAF23A     0x01aaf23a (b+0x001bf23a)  : "jmp esp" |  {PAGE_EXECUTE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B22A     0x01b1b22a (b+0x0022b22a)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B72D     0x01b1b72d (b+0x0022b72d)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1CD89     0x01b1cd89 (b+0x0022cd89)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B25C9E     0x01b25c9e (b+0x00235c9e)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B303D9     0x01b303d9 (b+0x002403d9)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B31400     0x01b31400 (b+0x00241400)  : "jmp esp" | null {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3736D     0x01b3736d (b+0x0024736d)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3CE34     0x01b3ce34 (b+0x0024ce34)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B40159     0x01b40159 (b+0x00250159)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B42EC0     0x01b42ec0 (b+0x00252ec0)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D       Found a total of 13 pointers
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:01.252000

As we known, 0x01AAF23A is a good choice.

Example: Find All locations that have a pointer to any of the pointer in file c:\temp\seh.txt

!mona find -type file -s "c:\temp\seh.txt" -p2p

Example : let’s say you control ECX, and your payload is at ESP+4

This is the code that will give you control over EIP :

MOV EAX,DWORD PTR DS:[ECX]
CALL [EAX+58]

The idea is to retun to the payload at ESP+4 to initiate a rop chain.

Think about it. What kind of pointer would we need to put in ECX ?

Answer : We need a pointer to a pointer(2), where pointer(2) – 0x58 points to a pointer to ADD ESP,4/RET.

For sure you find one manually. If you have time.

In order to instruct mona to find all pointers, you’ll need 2 commands :

One to find all stackpivots of 4
One to find the ptr to ptr-0x58 to ptr to one of the stackpivots

Solution :

# first, get all stackpivots, save output to c:\logs\stackpivot.txt
!mona config -set workingfolder c:\logs
!mona stackpivot -distance 4,4

# read the file and find ptr to ptr-58 to each of the pointers
!mona find -type file -s "c:\logs\stackpivot.txt" -x *
  -offset 88 -level 2 -offsetlevel 2

So basically, we need to apply the offset to level 2. (which is “look for ptr to ptr to ptr” in this case, because we already read ptr to the instructions into stackpivot).

Before looking for a pointer to a pointer in that level, the offset will be subtracted from the target pointer first.

Hint : in order to debug this routine, you’ll have to set a breakpoint on reading [ECX]. Suppose you put 7a10b473 in ECX, then – prior to triggering the bug – set a breakpoint on reading that location :

!mona bp -t READ -a 0x7a10b473

findmsp

Find cyclic pattern in memory.

0BADF00D   Usage of command 'findmsp' :
0BADF00D   -----------------------------
           Finds begin of a cyclic pattern in memory, looks if one of the registers contains (is overwritten) with a cyclic pattern
           or points into a cyclic pattern. findmsp will also look if a SEH record is overwritten and finally,
           it will look for cyclic patterns on the stack, and pointers to cyclic pattern on the stack.
           Optional argument :
               -distance <value> : distance from ESP, applies to search on the stack. Default : search entire stack
           Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
0BADF00D

findwild

Find instructions in memory, accept wildcards.

0BADF00D
0BADF00D   Usage of command 'findwild' :
0BADF00D   ------------------------------
           Find instructions in memory, accepts wildcards :
           Mandatory arguments :
                   -s <instruction#instruction#instruction>  (separate instructions with #)
           Optional arguments :
                   -b <address> : base/bottom address of the search range
                   -t <address> : top address of the search range
                   -depth <nr>  : number of instructions to go deep
                   -all : show all instruction chains, even if it contains something that might break the chain 
                   -distance min=nr,max=nr : you can use a numeric offset wildcard (a single *) in the first instruction of the search
                   the distance parameter allows you to specify the range of the offset     
           Inside the instructions string, you can use the following wildcards :
                   * = any instruction
                   r32 = any register
           Example : pop r32#*#xor eax,eax#*#pop esi#ret

0BADF00D

Instructions are separated with #. You can use * to indicate that you want to allow any instruction(s). You can also use r32 to indicate that you want to allow any register.

Example : Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn :

!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

You can, of course, use any of the global options to finetune/limit the search.

Output will be written to findwild.txt.

fwptr / fp

Find Writeable Pointers that get called.

geteat ** / eat

Show EAT of selected module(s)

!mona eat
!mona eat -s "32"

getiat / iat

Show IAT of selected module(s)

!mona iat
!mona iat -s "32"

getpc

Show getpc routines for specific registers.

0BADF00D
0BADF00D   Usage of command 'getpc' :
0BADF00D   ---------------------------
           Find getpc routine for specific register
           Mandatory argument :
               -r : register (ex: eax)
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona getpc -r eax
0BADF00D   [+] Preparing output file 'getpc.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\getpc.txt

           eax|  jmp short back:
           "\xeb\x03\x58\xff\xd0\xe8\xf8\xff\xff\xff"
           eax|  call + 4:
           "\xe8\xff\xff\xff\xff\xc3\x58"
           eax|  fstenv:
           "\xd9\xeb\x9b\xd9\x74\x24\xf4\x58"

0BADF00D
0BADF00D   Wrote to file C:\logs\RM2MP3Converter\getpc.txt
0BADF00D

gflags / gf

Show current GFlags settings from PEB.NtGlobalFlag.

0BADF00D
0BADF00D   [+] This mona.py action took 0:00:01.072000
0BADF00D   [+] Command used:
0BADF00D   !mona gflags
0BADF00D   [+] NtGlobalFlag: 0x00000070
0BADF00D       0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D       0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D       0x00000010 : +htc - Enable Heap Tail Checking

header

Read a binary file and convert to a nice ‘header’ string.

!mona header -f "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe" -t python

heap

Show heap related information.

0BADF00D
0BADF00D   Usage of command 'heap' :
0BADF00D   --------------------------
           Show information about various heap chunk lists
           Mandatory arguments :
               -h <address> : base address of the heap to query
               -t <type> : where type is 'segments', 'chunks', 'layout',
                           'fea' (let mona determine the frontend allocator),
                           'lal' (force display of LAL FEA, only on XP/2003),
                           'lfh' (force display of LFH FEA (Vista/Win7/...)),
                           'bea' (backend allocator, mona will automatically determine what it is),
                           'all' (show all information)
               Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results.
           Optional arguments :
               -expand : Works only in combination with 'layout', will include VA/LFH/... chunks in the search.
                         VA/LFH chunks may be very big, so this might slow down the search.
               -stat : show statistics (also works in combination with -h heap, -t segments or -t chunks
               -size <nr> : only show strings of at least the specified size. Works in combination with 'layout'
               -after <data> : only show current & next chunk layout entries when an entry contains this data
                               (Only works in combination with 'layout')
               -v : show data / write verbose info to the Log window
0BADF00D

help

show help

hidedebug / hd

Attempt to hide the debugger from the process.

info

Show information about a given address in the context of the loaded application.

0BADF00D   !mona info -a 0x00437854
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   [+] NtGlobalFlag: 0x00000070
0BADF00D       0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D       0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D       0x00000010 : +htc - Enable Heap Tail Checking
0BADF00D
0BADF00D   [+] Information about address 0x00437854
773D0000   Modules C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0BADF00D       startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
0BADF00D       Address is part of page 0x00401000 - 0x0043c000
0BADF00D       Section : .text
0BADF00D       Address is part of a module:
0BADF00D       [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D       Offset from module base: 0x37854
0BADF00D
0BADF00D   [+] Disassembly:
0BADF00D       Instruction at 00437854 : PUSH EBP
0BADF00D

infodump / if

Dumps contents of memory to file. Contents will include all pages that don’t belong to stack, heap or loaded modules.

Output will be written to infodump.xml

jmp / j

Find pointers that will allow you to a register.

!mona jmp -r esp

jop

Find gadgets that can be used in a JOP exploit.

kb

Manage Knowledgebase data.

0BADF00D
0BADF00D   Usage of command 'kb' :
0BADF00D   ------------------------
           Manage knowledgebase data
           Mandatory arguments:
               -<type> : type can be 'list', 'set' or 'del'
               To 'set' ( = add / update ) a KB entry, or 'del' an entry,
               you will need to specify 2 additional arguments:
                   -id <id> : the Knowledgebase ID
                   -value <value> : the value to add/update.  In case of lists, use a comma to separate entries.
               The -list parameter will show all current ID's
               To see the contents of a specific ID, use the -id <id> parameter.
0BADF00D

modules / mod

Show information about the loaded modules.

0BADF00D   !mona modules

           ---------- Mona command started on 2015-02-26 21:19:37 (v2.0, rev 554) ----------
0BADF00D   [+] Processing arguments and criteria
0BADF00D       - Pointer access level : X
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Module info :
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    0x76080000 | 0x760e5000 | 0x00065000 | False  | True    | False |  False   | True   | 6.02.3104.0 [MSVCP60.dll] (C:\WINDOWS\system32\MSVCP60.dll)
0BADF00D    0x02020000 | 0x02030000 | 0x00010000 | True   | False   | False |  False   | False  | -1.0- [MSRMfilter02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter02.dll)
0BADF00D    0x5b860000 | 0x5b8b5000 | 0x00055000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [NETAPI32.dll] (C:\WINDOWS\system32\NETAPI32.dll)
0BADF00D    0x7e1e0000 | 0x7e282000 | 0x000a2000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [urlmon.dll] (C:\WINDOWS\system32\urlmon.dll)
0BADF00D    0x00400000 | 0x004be000 | 0x000be000 | False  | False   | False |  False   | False  | 2.7.3.700 [RM2MP3Converter.exe] (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D    0x77a80000 | 0x77b15000 | 0x00095000 | False  | True    | False |  False   | True   | 5.131.2600.5512 [CRYPT32.dll] (C:\WINDOWS\system32\CRYPT32.dll)
0BADF00D    0x76f20000 | 0x76f47000 | 0x00027000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [DNSAPI.dll] (C:\WINDOWS\system32\DNSAPI.dll)
0BADF00D    0x77c70000 | 0x77c94000 | 0x00024000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [msv1_0.dll] (C:\WINDOWS\system32\msv1_0.dll)
0BADF00D    0x77c10000 | 0x77c68000 | 0x00058000 | False  | True    | False |  False   | True   | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)
0BADF00D    0x7c900000 | 0x7c9af000 | 0x000af000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)
0BADF00D    0x01860000 | 0x018d1000 | 0x00071000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec00.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll)
0BADF00D    0x71a90000 | 0x71a98000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)
0BADF00D    0x018f0000 | 0x01dbd000 | 0x004cd000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D    0x01dc0000 | 0x01dd1000 | 0x00011000 | True   | True    | False |  False   | True   | 7.0.2600.5512 [MSVCIRT.dll] (C:\WINDOWS\system32\MSVCIRT.dll)
0BADF00D    0x00ab0000 | 0x00b4f000 | 0x0009f000 | True   | False   | False |  False   | False  | -1.0- [MSRMfilter01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll)
0BADF00D    0x02240000 | 0x02252000 | 0x00012000 | True   | False   | False |  False   | False  | -1.0- [MSLog.dll] (C:\Program Files\Easy RM to MP3 Converter\MSLog.dll)
0BADF00D    0x76fc0000 | 0x76fc6000 | 0x00006000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rasadhlp.dll] (C:\WINDOWS\system32\rasadhlp.dll)
0BADF00D    0x10000000 | 0x10071000 | 0x00071000 | False  | False   | False |  False   | False  | -1.0- [MSRMfilter03.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
0BADF00D    0x76ee0000 | 0x76f1c000 | 0x0003c000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [RASAPI32.DLL] (C:\WINDOWS\system32\RASAPI32.DLL)
0BADF00D    0x77fe0000 | 0x77ff1000 | 0x00011000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)
0BADF00D    0x71aa0000 | 0x71aa8000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)
0BADF00D    0x73dd0000 | 0x73ece000 | 0x000fe000 | False  | True    | False |  False   | True   | 6.02.4131.0 [MFC42.DLL] (C:\WINDOWS\system32\MFC42.DLL)
0BADF00D    0x774e0000 | 0x7761d000 | 0x0013d000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)
0BADF00D    0x77f60000 | 0x77fd6000 | 0x00076000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)
0BADF00D    0x662b0000 | 0x66308000 | 0x00058000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)
0BADF00D    0x7e410000 | 0x7e4a1000 | 0x00091000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)
0BADF00D    0x763b0000 | 0x763f9000 | 0x00049000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [comdlg32.dll] (C:\WINDOWS\system32\comdlg32.dll)
0BADF00D    0x71ad0000 | 0x71ad9000 | 0x00009000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [wsock32.dll] (C:\WINDOWS\system32\wsock32.dll)
0BADF00D    0x76e80000 | 0x76e8e000 | 0x0000e000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rtutils.dll] (C:\WINDOWS\system32\rtutils.dll)
0BADF00D    0x01fe0000 | 0x01ffe000 | 0x0001e000 | True   | False   | False |  False   | True   | 1.0.1.8 [wmatimer.dll] (C:\WINDOWS\system32\wmatimer.dll)
0BADF00D    0x5ad70000 | 0x5ada8000 | 0x00038000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)
0BADF00D    0x77120000 | 0x771ab000 | 0x0008b000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [OLEAUT32.dll] (C:\WINDOWS\system32\OLEAUT32.dll)
0BADF00D    0x722b0000 | 0x722b5000 | 0x00005000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [sensapi.dll] (C:\WINDOWS\system32\sensapi.dll)
0BADF00D    0x7c9c0000 | 0x7d1d7000 | 0x00817000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)
0BADF00D    0x77e70000 | 0x77f02000 | 0x00092000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)
0BADF00D    0x77b20000 | 0x77b32000 | 0x00012000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [MSASN1.dll] (C:\WINDOWS\system32\MSASN1.dll)
0BADF00D    0x773d0000 | 0x774d3000 | 0x00103000 | False  | True    | False |  False   | True   | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0BADF00D    0x769c0000 | 0x76a74000 | 0x000b4000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [USERENV.dll] (C:\WINDOWS\system32\USERENV.dll)
0BADF00D    0x76e90000 | 0x76ea2000 | 0x00012000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rasman.dll] (C:\WINDOWS\system32\rasman.dll)
0BADF00D    0x771b0000 | 0x7725a000 | 0x000aa000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [WININET.dll] (C:\WINDOWS\system32\WININET.dll)
0BADF00D    0x5d090000 | 0x5d12a000 | 0x0009a000 | False  | True    | False |  False   | True   | 5.82 [COMCTL32.dll] (C:\WINDOWS\system32\COMCTL32.dll)
0BADF00D    0x76d60000 | 0x76d79000 | 0x00019000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [iphlpapi.dll] (C:\WINDOWS\system32\iphlpapi.dll)
0BADF00D    0x71a50000 | 0x71a8f000 | 0x0003f000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\System32\mswsock.dll)
0BADF00D    0x76b40000 | 0x76b6d000 | 0x0002d000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WINMM.dll] (C:\WINDOWS\system32\WINMM.dll)
0BADF00D    0x7c800000 | 0x7c8f6000 | 0x000f6000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)
0BADF00D    0x77f10000 | 0x77f59000 | 0x00049000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)
0BADF00D    0x018e0000 | 0x018e7000 | 0x00007000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dll)
0BADF00D    0x73000000 | 0x73026000 | 0x00026000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WINSPOOL.DRV] (C:\WINDOWS\system32\WINSPOOL.DRV)
0BADF00D    0x77c00000 | 0x77c08000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [VERSION.dll] (C:\WINDOWS\system32\VERSION.dll)
0BADF00D    0x77dd0000 | 0x77e6b000 | 0x0009b000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)
0BADF00D    0x71ab0000 | 0x71ac7000 | 0x00017000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)
0BADF00D    0x76eb0000 | 0x76edf000 | 0x0002f000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [TAPI32.dll] (C:\WINDOWS\system32\TAPI32.dll)
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D

noaslr

Show modules that are not aslr or rebased

nosafeseh

Show modules that are not safeseh protected

nosafesehaslr

Show modules that are not safeseh protected, not aslr and not rebased.

offset

Calcalate the number og bytes between two addresses.

pageacl / pacl

Show ACL associated with mapped pages.

pattern_create / pc

Create a cyclic pattern of a given size.

0BADF00D   Usage of command 'pattern_create' :
0BADF00D   ------------------------------------
           Create a cyclic pattern of a given size. Output will be written to pattern.txt
           Mandatory argument : size (numberic value)
           Optional arguments :
               -js : output pattern in unicode escaped javascript format
               -extended : extend the 3rd characterset (numbers) with punctuation marks etc
               -c1 <chars> : set the first charset to this string of characters
               -c2 <chars> : set the second charset to this string of characters
               -c3 <chars> : set the third charset to this string of characters
0BADF00D

pattern_offset / po

Find location of 4 bytes in a cyclic pattern.

0BADF00D
0BADF00D   Usage of command 'pattern_offset' :
0BADF00D   ------------------------------------
           Find the location of 4 bytes in a cyclic pattern
           Mandatory argument : the 4 bytes to look for
           Note :  you can also specify a register
           Optional arguments :
               -extended : extend the 3rd characterset (numbers) with punctuation marks etc
               -c1 <chars> : set the first charset to this string of characters
               -c2 <chars> : set the second charset to this string of characters
               -c3 <chars> : set the third charset to this string of characters
           Note : the charset must match the charset that was used to create the pattern !

0BADF00D

For example:

!mona pattern_create 1000   # get a exception EIP address
!mona pattern_offset EIP    # return the offset

peb

Show location of the PEB

rop

Find gadgets that can be used in a ROP exploit and do ROP magic with them

ropfunc

Find pointers to pointers (IAT) to interesting functions that can be used in your rop chain.

seh

Find pointers to assist with SEH overwrite exploits.

sehchain / exchain

Show the current SEH chain

skeleton

Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit.

stackpivot

Finds stackpivots (move stackpointer to controlled area)

stacks

Show all stacks for all threads in the running application.

string / str

Read or write a string from/to memory

suggest

Suggest an exploit buffer structure

0BADF00D   Usage of command 'suggest' :
0BADF00D   -----------------------------
           Suggests an exploit buffer structure based on pointers to a cyclic pattern
           Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
           Mandatory argument in case you are using WinDBG:
               -t <type:arg> : skeletontype. Valid types are :
                           tcpclient:port, udpclient:port, fileformat:extension
                           Examples : -t tcpclient:21
                                      -t fileformat:pdf
0BADF00D

Video here.

teb

Show TEB related information

unicodealign / ua

Generate venetian alignment code for unicode stack buffer overflow.

update / up

Update mona to the lastest version

!mona up -http

References

[1]. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

Nixawk
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
windbg安装mona.py插件
小强的博客
10-18 3805
不管是x86还是x64系统,最好安装一下vcredit.exe并且注册,文件下载链接点击打开链接:x86系统,x64系统,并且注册之 对于x86系统:    下载pykd.pyd、mona.py、windbglib.py文件,相关链接:https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip、https://github.com
为windbg安装mona.py
Catch me if you can
04-22 6088
为windbg 安装mona 主要是提供下载链接,方便将来重新安装虚拟机。
exploit.py
07-04
exploit.py
python写exploit
weixin_33757911的博客
05-09 148
测试软件漏洞时,个人比较钟爱用python来完成exploit,简单,快速。也见过不少用perl来写的,我不喜欢。随便记录一些常用的方法。 python中有个概念叫模块,模块中包含了定义的函数,方便重用。使用模块的语句如下: import 模块名 struct模块有个很方便的函数,pack,格式如下: struct.pack(format,参数) ...
Brainpan(VulnHub)
最新发布
carmi的博客
04-14 1034
Brainpan 1、nmap 2、web渗透 随便看看 目录爆破 使用不同工具,不同字典进行爆破 9999端口分析 10000端口分析 字符串信息中,提示这个程序不能运行在DOS模式下,然后有32个A,还有一行关于复制字节到缓冲区的信息,还有一行比较奇怪的字符shitstorm,有可能会是密码,接下来就是之前浏览器看到的ascii图案。 3、常规的缓冲区溢出漏洞分析与...
windows-exploit-suggester.py
公众号shadow sock7
06-11 964
https://github.com/SecWiki/windows-kernel-exploits/tree/master/win-exp-suggester视频: https://www.youtube.com/watch?v=6naFH9MQHy8
getExploit:从exploit-db.com下载漏洞利用程序
05-25
如果要更新从exploit-db.com下载的数据库,请运行getExploit.py updatedb ,它将开始从网站下载最新的漏洞利用列表。搜索漏洞search命令使您可以在原始exploit-db的CSV文件的任何字段中搜索给定的模式。 搜索查询...
JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
05-27
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] where: -C - command executed in the remote classfile. (optional , default command is "open /Applications/...
JNDI-Injection-Exploit-1.0-SNAPSHOT-all.zip
12-12
标题"JNDI-Injection-Exploit-1.0-SNAPSHOT-all.zip"暗示了这是一个关于JNDI注入漏洞的exploit工具包,版本为1.0 SNAPSHOT,可能包含了多个利用示例或攻击代码。"all"可能表示该压缩包包含了所有相关的组件或测试...
https://www.exploit-db.com/下载POC比较完善的代码
12-21
CVE(Common Vulnerabilities and Exposures)是用于识别安全漏洞的唯一标识,通常与安全补丁或exploit(利用)相关联。下面将详细讨论这些知识点: 1. **自动化下载**: - 通过CVE编号自动化下载代码是一种常见的...
linux-exploit-suggester:Linux特权升级审核工具
04-22
LES:Linux特权升级审核工具快速下载: wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh有关LES用法和内部工作方式的详细信息: ...
mona-master.zip
05-13
mona.py。这是由corelan team整合的一个可以自动构造Rop Chain而且集成了metasploit计算偏移量功能的强大挖洞辅助插件
mona最新all安装包
09-25
windbg插件mona包含官方原版最新all安装包,支持32位和64位安装,python版本2.7
ImmunityDebugger_mona_vulnserver_python
09-16
immunity debugger1.85 mona plugin for immunity debugger vulnserver is server python is used for executing the mona
mona.py直接就可以用
11-14
mona.py官网最新资源。 ### Immunity Debugger 1. drop mona.py into the 'PyCommands' folder (inside the Immunity Debugger application folder). 2. install Python 2.7.14 (or a higher 2.7.xx version) into c:\python27, thus overwriting the version that was bundled with Immunity. This is needed to avoid TLS issues when trying to update mona.
ImmunityDebugger1.85+mona.py
12-18
免疫调试器用于分析恶意软件,编写漏洞和反向工程二进制文件。该工具建立在一个坚实的用户界面,其中包括功能图表,它是业界首创的分析工具,仅用于构建堆,还有一个庞大且支持Python API的易于扩展性的分析工具。
Immunity Debugger、winDBG和Mona使用方法
Code1s
06-02 1482
请注意,如果不调试应用程序,Immunity 将返回以前调试的应用程序的名称。为了防止 mona 此时将文件写入应用程序文件夹,mona 还会检查调试应用的进程 ID。如果要自动执行此操作,可以创建 windbg.exe 的快捷方式,并使用 -c 参数指定在 windbg 启动时要执行的命令。此变量将替换为正在调试的应用程序的进程 ID。如果要从列表中删除模块,只需在免疫调试器程序文件夹中查找mona.ini并编辑该文件。此配置参数写入免疫调试器应用程序文件夹中名为“mona.ini”的文件中。
如何在Windbg中安装mona
唐风的风
11-18 4998
如何在Windbg中安装mona 01 问题描述 在Windows的Windbg中安装Mona 环境要求 检查是否安装了Windbg 检查是否安装Python2.x 1.Mona.py—放入Windbg.exe文件夹下 2.pykd.pyd—WinDbg的Python插件 3.windbglib.py—放入Windbg.exe文件夹下 02 解决步骤 2.1 安装和检查Python2.x环境并确保安装了Windbg 没装的安装好相关版本的python Win+R 输入cmd,输入pytho
Immunity Debugger中安装mona
唐风的风
11-19 3826
01 问题描述 如何在Immunity Debugger安装mona 1.1 背景 之前为了使用mona而在Windbg中进行配置.但是安装和配置过程相对繁琐了一些,今天刚知道了一个调试器Immunity Debugger,与其他调试器相比这个调试器支持很多Pyhthon的脚本,比较方便用于漏洞调试研究,号称漏洞调试的瑞士军刀,特别是mona的强大功能.而且安装也极其方便,特此记录一下. 1.2 所需资源 Immunity Debugger调试器 官网链接 mona.py 资源链接

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值