本在在windbg扩展python脚本文章中进行扩展
一 环境搭配
把mona.py 和windbglib.py 放置到windbg到安装目录
二 运行windbg ,attach到进程
1:006> .load pykd.pyd
1:006> !py mona
** Warning, no symbol path set ! **
I'll set the symbol path to srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol path set, now reloading symbols...
All set. Please restart WinDBG.
Hold on...
[+] Command used:
!py mona.py
'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit)
Plugin version : 2.0 r577
PyKD version 0.2.0.29
Written by Corelan - https://www.corelan.be
Project page : https://github.com/corelan/mona
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| https://www.corelan.be | https://www.corelan-training.com |
|------------------------------------------------------------------|
Global options :
----------------
You can use one or more of the following global options on any command that will perform
a search in one or more modules, returning a list of pointers :
-n : Skip modules that start with a null byte. If this is too broad, use
option -cp nonull instead
-o : Ignore OS modules
-p <nr> : Stop search after <nr> pointers.
-m <module,module,...> : only query the given modules. Be sure what you are doing !
You can specify multiple modules (comma separated)
Tip : you can use -m * to include all modules. All other module criteria will be ignored
Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
blah or *blah* = contains blah
-cm <crit,crit,...> : Apply some additional criteria to the modules to query.
You can use one or more of the following criteria :
aslr,safeseh,rebase,nx,os
You can enable or disable a certain criterium by setting it to true or false
Example : -cm aslr=true,safeseh=false
Suppose you want to search for p/p/r in aslr enabled modules, you could call
!mona seh -cm aslr
-cp <crit,crit,...> : Apply some criteria to the pointers to return
Available options are :
unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
-cpb '\x00\x01' : Provide list with bad chars, applies to pointers
You can use .. to indicate a range of bytes (in between 2 bad chars)
-x <access> : Specify desired access level of the returning pointers. If not specified,
only executable pointers will be returned.
Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *
Usage :
-------
!mona <command> <parameter>
Available commands and parameters :
? / eval | Evaluate an expression
allocmem / alloc | Allocate some memory in the process
assemble / asm | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba | Creates a byte array, can be used to find bad characters
changeacl / ca | Change the ACL of a given page
compare / cmp | Compare contents of a binary file with a copy in memory
config / conf | Manage configuration file (mona.ini)
copy / cp | Copy bytes from one location to another
dump | Dump the specified range of memory to a file
dumplog / dl | Dump objects present in alloc/free log file
dumpobj / do | Dump the contents of an object
egghunter / egg | Create egghunter code
encode / enc | Encode a series of bytes
filecompare / fc | Compares 2 or more files created by mona using the same output commands
fillchunk / fchunk | Fill a heap chunk referenced by a register
find / f | Find bytes in memory
findmsp / findmsf | Find cyclic pattern in memory
findwild / fw | Find instructions in memory, accepts wildcards
flow / flw | Simulate execution flows, including all branch combinations
fwptr / fwp | Find Writeable Pointers that get called
geteat / eat | Show EAT of selected module(s)
getiat / iat | Show IAT of selected module(s)
getpc | Show getpc routines for specific registers
gflags / gf | Show current GFlags settings from PEB.NtGlobalFlag
header | Read a binary file and convert content to a nice 'header' string
heap | Show heap related information
help | show help
hidedebug / hd | Attempt to hide the debugger
info | Show information about a given address in the context of the loaded application
infodump / if | Dumps specific parts of memory to file
jmp / j | Find pointers that will allow you to jump to a register
jop | Finds gadgets that can be used in a JOP exploit
kb / kb | Manage Knowledgebase data
modules / mod | Show all loaded modules and their properties
noaslr | Show modules that are not aslr or rebased
nosafeseh | Show modules that are not safeseh protected
nosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebased
offset | Calculate the number of bytes between two addresses
pageacl / pacl | Show ACL associated with mapped pages
pattern_create / pc | Create a cyclic pattern of a given size
pattern_offset / po | Find location of 4 bytes in a cyclic pattern
peb / peb | Show location of the PEB
rop | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh | Find pointers to assist with SEH overwrite exploits
sehchain / exchain | Show the current SEH chain
skeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot | Finds stackpivots (move stackpointer to controlled area)
stacks | Show all stacks for all threads in the running application
string / str | Read or write a string from/to memory
suggest | Suggest an exploit buffer structure
teb / teb | Show TEB related information
tobp / 2bp | Generate WinDBG syntax to create a logging breakpoint at given location
unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow
update / up | Update mona to the latest version
Want more info about a given command ? Run !mona help
然后就可以使用了。比如想查看那些模块没有开启SafeSEH,ASLR:
1:006> !py mona mod
Hold on...
[+] Command used:
!py mona.py mod
---------- Mona command started on 2017-09-21 23:49:26 (v2.0, rev 577) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
-----------------------------------------------------------------------------------------------------------------------------------------
Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
0x731b0000 | 0x73340000 | 0x00190000 | False | True | True | True | True | 6.1.7601.17514 [gdiplus.dll] (C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll)
0x76800000 | 0x76910000 | 0x00110000 | False | True | True | True | True | 6.1.7601.17514 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
0x75470000 | 0x754f0000 | 0x00080000 | False | True | True | True | True | 6.1.7600.16385 [UxTheme.dll] (c:\windows\SysWOW64\UxTheme.dll)
0x755d0000 | 0x755dc000 | 0x0000c000 | False | True | True | True | True | 6.1.7600.16385 [CRYPTBASE.dll] (C:\Windows\syswow64\CRYPTBASE.dll)
0x77a80000 | 0x77c00000 | 0x00180000 | False | True | True | True | True | 6.1.7601.17514 [ntdll.dll] (ntdll.dll)
0x77660000 | 0x77679000 | 0x00019000 | False | True | True | True | True | 6.1.7600.16385 [sechost.dll] (C:\Windows\SysWOW64\sechost.dll)
0x767e0000 | 0x767ea000 | 0x0000a000 | False | True | True | True | True | 6.1.7600.16385 [LPK.dll] (C:\Windows\syswow64\LPK.dll)
0x007b0000 | 0x00870000 | 0x000c0000 | False | True | True | True | False | 6.1.7601.17514 [calc.exe] (calc.exe)
0x772d0000 | 0x7736d000 | 0x0009d000 | False | True | True | True | True | 1.626.7601.17514 [USP10.dll] (C:\Windows\syswow64\USP10.dll)
0x755e0000 | 0x75640000 | 0x00060000 | False | True | True | True | True | 6.1.7601.17514 [SspiCli.dll] (C:\Windows\syswow64\SspiCli.dll)
0x76d20000 | 0x76e7c000 | 0x0015c000 | False | True | True | True | True | 6.1.7601.17514 [ole32.dll] (C:\Windows\syswow64\ole32.dll)
0x77090000 | 0x770e7000 | 0x00057000 | False | True | True | True | True | 6.1.7601.17514 [SHLWAPI.dll] (C:\Windows\syswow64\SHLWAPI.dll)
0x76ab0000 | 0x76bb0000 | 0x00100000 | False | True | True | True | True | 6.1.7601.17514 [USER32.dll] (C:\Windows\syswow64\USER32.dll)
0x77370000 | 0x773ff000 | 0x0008f000 | False | True | True | True | True | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\syswow64\OLEAUT32.dll)
0x75790000 | 0x763da000 | 0x00c4a000 | False | True | True | True | True | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\syswow64\SHELL32.dll)
0x76430000 | 0x76520000 | 0x000f0000 | False | True | True | True | True | 6.1.7601.17514 [RPCRT4.dll] (C:\Windows\syswow64\RPCRT4.dll)
0x744e0000 | 0x7467e000 | 0x0019e000 | False | True | True | True | True | 6.10.7601.17514 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll)
0x75640000 | 0x75686000 | 0x00046000 | False | True | True | True | True | 6.1.7601.17514 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
0x75340000 | 0x75349000 | 0x00009000 | False | True | True | True | True | 6.1.7600.16385 [VERSION.dll] (c:\windows\SysWOW64\VERSION.dll)
0x74ff0000 | 0x75022000 | 0x00032000 | False | True | True | True | True | 6.1.7601.17514 [WINMM.dll] (c:\windows\SysWOW64\WINMM.dll)
0x775d0000 | 0x77660000 | 0x00090000 | False | True | True | True | True | 6.1.7601.17514 [GDI32.dll] (C:\Windows\syswow64\GDI32.dll)
0x76e80000 | 0x76f2c000 | 0x000ac000 | False | True | True | True | True | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\syswow64\msvcrt.dll)
0x77180000 | 0x77220000 | 0x000a0000 | False | True | True | True | True | 6.1.7601.17514 [ADVAPI32.dll] (C:\Windows\syswow64\ADVAPI32.dll)
-----------------------------------------------------------------------------------------------------------------------------------------
[+] This mona.py action took 0:00:00.203000
很遗憾,都开启了。
让他加载一些dll再试试
0:013> !py mona mod
Hold on...
[+] Command used:
!py mona.py mod
---------- Mona command started on 2017-09-21 23:52:18 (v2.0, rev 577) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
-----------------------------------------------------------------------------------------------------------------------------------------
Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
0x7c340000 | 0x7c396000 | 0x00056000 | False | False | False | False | False | 7.10.3052.4 [MSVCR71.dll] (C:\Program Files (x86)\Java\jre6\bin\MSVCR71.dll)
0x71650000 | 0x720d0000 | 0x00a80000 | False | True | True | True | True | 8.0.7601.17514 [IEFRAME.dll] (C:\Windows\system32\IEFRAME.dll)
0x731b0000 | 0x73340000 | 0x00190000 | False | True | True | True | True | 6.1.7601.17514 [gdiplus.dll] (C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll)
0x6d430000 | 0x6d43d000 | 0x0000d000 | False | False | False | False | False | 6.0.370.6 [jp2ssv.dll] (C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll)
0x77490000 | 0x775c6000 | 0x00136000 | False | True | True | True | True | 8.0.7601.17514 [urlmon.dll] (C:\Windows\syswow64\urlmon.dll)
0x74ba0000 | 0x74bbc000 | 0x0001c000 | False | True | True | True | True | 6.1.7601.17514 [iphlpapi.DLL] (C:\Windows\system32\iphlpapi.DLL)
0x736f0000 | 0x73ca7000 | 0x005b7000 | False | True | True | True | True | 8.0.7601.17514 [mshtml.dll] (C:\Windows\SysWOW64\mshtml.dll)
0x73cb0000 | 0x73cfc000 | 0x0004c000 | False | True | True | True | True | 6.1.7601.17514 [apphelp.dll] (C:\Windows\system32\apphelp.dll)
0x76bf0000 | 0x76d0d000 | 0x0011d000 | False | True | True | True | True | 6.1.7601.17514 [CRYPT32.dll] (C:\Windows\syswow64\CRYPT32.dll)
0x76bb0000 | 0x76bbc000 | 0x0000c000 | False | True | True | True | True | 6.1.7601.17514 [MSASN1.dll] (C:\Windows\syswow64\MSASN1.dll)
0x6d730000 | 0x6d77f000 | 0x0004f000 | False | False | False | False | False | 6.0.370.6 [ssv.dll] (C:\Program Files (x86)\Java\jre6\bin\ssv.dll)
0x76800000 | 0x76910000 | 0x00110000 | False | True | True | True | True | 6.1.7601.17514 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
0x76e80000 | 0x76f2c000 | 0x000ac000 | False | True | True | True | True | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\syswow64\msvcrt.dll)
0x755d0000 | 0x755dc000 | 0x0000c000 | False | True | True | True | True | 6.1.7600.16385 [CRYPTBASE.dll] (C:\Windows\syswow64\CRYPTBASE.dll)
0x75070000 | 0x7509a000 | 0x0002a000 | False | True | True | True | True | 3.10.349.0 [msls31.dll] (C:\Windows\SysWOW64\msls31.dll)
0x75350000 | 0x75363000 | 0x00013000 | False | True | True | True | True | 6.1.7600.16385 [dwmapi.dll] (C:\Windows\system32\dwmapi.dll)
0x77a80000 | 0x77c00000 | 0x00180000 | False | True | True | True | True | 6.1.7601.17514 [ntdll.dll] (C:\Windows\SysWOW64\ntdll.dll)
0x74920000 | 0x7494b000 | 0x0002b000 | False | True | True | True | False | 8.0.7601.17514 [ieproxy.dll] (C:\Program Files (x86)\Internet Explorer\ieproxy.dll)
0x77660000 | 0x77679000 | 0x00019000 | False | True | True | True | True | 6.1.7600.16385 [sechost.dll] (C:\Windows\SysWOW64\sechost.dll)
0x74c10000 | 0x74c4c000 | 0x0003c000 | False | True | True | True | True | 7.0.0.0 [OLEACC.dll] (C:\Windows\system32\OLEACC.dll)
0x74cc0000 | 0x74ccb000 | 0x0000b000 | False | True | True | True | True | 8.0.7601.17514 [ImgUtil.dll] (C:\Windows\system32\ImgUtil.dll)
0x767e0000 | 0x767ea000 | 0x0000a000 | False | True | True | True | True | 6.1.7600.16385 [LPK.dll] (C:\Windows\syswow64\LPK.dll)
0x76520000 | 0x7671b000 | 0x001fb000 | False | True | True | True | True | 8.0.7601.17514 [iertutil.dll] (C:\Windows\syswow64\iertutil.dll)
0x772d0000 | 0x7736d000 | 0x0009d000 | False | True | True | True | True | 1.626.7601.17514 [USP10.dll] (C:\Windows\syswow64\USP10.dll)
0x75690000 | 0x75785000 | 0x000f5000 | False | True | True | True | True | 8.0.7601.17514 [WININET.dll] (C:\Windows\syswow64\WININET.dll)
0x75330000 | 0x75337000 | 0x00007000 | False | True | True | True | True | 6.1.7600.16385 [WINNSI.DLL] (C:\Windows\system32\WINNSI.DLL)
0x755e0000 | 0x75640000 | 0x00060000 | False | True | True | True | True | 6.1.7601.17514 [SspiCli.dll] (C:\Windows\syswow64\SspiCli.dll)
0x77a50000 | 0x77a55000 | 0x00005000 | False | True | True | True | True | 6.1.7600.16385 [PSAPI.DLL] (C:\Windows\syswow64\PSAPI.DLL)
0x76760000 | 0x76772000 | 0x00012000 | False | True | True | True | True | 6.1.7600.16385 [DEVOBJ.dll] (C:\Windows\syswow64\DEVOBJ.dll)
0x76d20000 | 0x76e7c000 | 0x0015c000 | False | True | True | True | True | 6.1.7601.17514 [ole32.dll] (C:\Windows\syswow64\ole32.dll)
0x77090000 | 0x770e7000 | 0x00057000 | False | True | True | True | True | 6.1.7601.17514 [SHLWAPI.dll] (C:\Windows\syswow64\SHLWAPI.dll)
0x74b10000 | 0x74b26000 | 0x00016000 | False | True | True | True | True | 6.1.7600.16385 [CRYPTSP.dll] (C:\Windows\system32\CRYPTSP.dll)
0x76ab0000 | 0x76bb0000 | 0x00100000 | False | True | True | True | True | 6.1.7601.17514 [USER32.dll] (C:\Windows\syswow64\USER32.dll)
0x74d30000 | 0x74d60000 | 0x00030000 | False | True | True | True | True | 8.0.7601.17514 [iepeers.dll] (C:\Windows\SysWOW64\iepeers.dll)
0x77430000 | 0x77490000 | 0x00060000 | False | True | True | True | True | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
0x77220000 | 0x7729b000 | 0x0007b000 | False | True | True | True | True | 6.1.7601.17514 [comdlg32.dll] (C:\Windows\syswow64\comdlg32.dll)
0x75180000 | 0x751ae000 | 0x0002e000 | False | True | True | True | True | 6.1.7600.16385 [MLANG.dll] (C:\Windows\system32\MLANG.dll)
0x74340000 | 0x743f2000 | 0x000b2000 | False | True | True | True | True | 5.8.7601.17514 [jscript.dll] (C:\Windows\SysWOW64\jscript.dll)
0x74ad0000 | 0x74b0b000 | 0x0003b000 | False | True | True | True | True | 6.1.7600.16385 [rsaenh.dll] (C:\Windows\system32\rsaenh.dll)
0x73f90000 | 0x74085000 | 0x000f5000 | False | True | True | True | True | 7.0.7601.17514 [propsys.dll] (C:\Windows\system32\propsys.dll)
0x751b0000 | 0x751d1000 | 0x00021000 | False | True | True | True | True | 6.1.7600.16385 [ntmarta.dll] (C:\Windows\system32\ntmarta.dll)
0x74e10000 | 0x74f0b000 | 0x000fb000 | False | True | True | True | True | 6.1.7601.17514 [windowscodecs.dll] (C:\Windows\SysWOW64\windowscodecs.dll)
0x75470000 | 0x754f0000 | 0x00080000 | False | True | True | True | True | 6.1.7600.16385 [uxtheme.dll] (C:\Windows\system32\uxtheme.dll)
0x75170000 | 0x7517b000 | 0x0000b000 | False | True | True | True | True | 6.1.7600.16385 [msimtf.dll] (C:\Windows\system32\msimtf.dll)
0x77370000 | 0x773ff000 | 0x0008f000 | False | True | True | True | True | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\syswow64\OLEAUT32.dll)
0x751e0000 | 0x751eb000 | 0x0000b000 | False | True | True | True | True | 6.1.7600.16385 [profapi.dll] (C:\Windows\system32\profapi.dll)
0x75790000 | 0x763da000 | 0x00c4a000 | False | True | True | True | True | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\syswow64\SHELL32.dll)
0x76430000 | 0x76520000 | 0x000f0000 | False | True | True | True | True | 6.1.7601.17514 [RPCRT4.dll] (C:\Windows\syswow64\RPCRT4.dll)
0x76720000 | 0x76755000 | 0x00035000 | False | True | True | True | True | 6.1.7601.17514 [ws2_32.DLL] (C:\Windows\syswow64\ws2_32.DLL)
0x76f30000 | 0x76fb3000 | 0x00083000 | False | True | True | True | True | 2001.12.8530.16385 [CLBCatQ.DLL] (C:\Windows\syswow64\CLBCatQ.DLL)
0x744e0000 | 0x7467e000 | 0x0019e000 | False | True | True | True | True | 6.10.7601.17514 [comctl32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll)
0x744e0000 | 0x7467e000 | 0x0019e000 | False | True | True | True | True | 6.10.7601.17514 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll)
0x76d10000 | 0x76d13000 | 0x00003000 | False | True | True | True | True | 6.1.7600.16385 [Normaliz.dll] (C:\Windows\syswow64\Normaliz.dll)
0x767f0000 | 0x767f6000 | 0x00006000 | False | True | True | True | True | 6.1.7600.16385 [NSI.dll] (C:\Windows\syswow64\NSI.dll)
0x763e0000 | 0x76425000 | 0x00045000 | False | True | True | True | True | 6.1.7601.17514 [WLDAP32.dll] (C:\Windows\syswow64\WLDAP32.dll)
0x76fc0000 | 0x7708c000 | 0x000cc000 | False | True | True | True | True | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\syswow64\MSCTF.dll)
0x75640000 | 0x75686000 | 0x00046000 | False | True | True | True | True | 6.1.7601.17514 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
0x73f30000 | 0x73f8f000 | 0x0005f000 | False | True | True | True | True | 6.1.7601.17514 [SXS.DLL] (C:\Windows\system32\SXS.DLL)
0x74ac0000 | 0x74ace000 | 0x0000e000 | False | True | True | True | True | 6.1.7601.17514 [RpcRtRemote.dll] (C:\Windows\system32\RpcRtRemote.dll)
0x772a0000 | 0x772c7000 | 0x00027000 | False | True | True | True | True | 6.1.7601.17514 [CFGMGR32.dll] (C:\Windows\syswow64\CFGMGR32.dll)
0x775d0000 | 0x77660000 | 0x00090000 | False | True | True | True | True | 6.1.7601.17514 [GDI32.dll] (C:\Windows\syswow64\GDI32.dll)
0x74bc0000 | 0x74c04000 | 0x00044000 | False | True | True | True | True | 6.1.7601.17514 [dnsapi.DLL] (C:\Windows\system32\dnsapi.DLL)
0x00f20000 | 0x00fc6000 | 0x000a6000 | False | True | True | False | False | 8.0.7601.17514 [iexplore.exe] (C:\Program Files (x86)\Internet Explorer\iexplore.exe)
0x74cd0000 | 0x74d21000 | 0x00051000 | False | True | True | True | True | 6.1.7601.17514 [WINSPOOL.DRV] (C:\Windows\SysWOW64\WINSPOOL.DRV)
0x75340000 | 0x75349000 | 0x00009000 | False | True | True | True | True | 6.1.7600.16385 [VERSION.dll] (C:\Windows\system32\VERSION.dll)
0x77180000 | 0x77220000 | 0x000a0000 | False | True | True | True | True | 6.1.7601.17514 [ADVAPI32.dll] (C:\Windows\syswow64\ADVAPI32.dll)
0x76910000 | 0x76aad000 | 0x0019d000 | False | True | True | True | True | 6.1.7601.17514 [SETUPAPI.dll] (C:\Windows\syswow64\SETUPAPI.dll)
0x75130000 | 0x75165000 | 0x00035000 | False | True | True | True | False | 8.0.7601.17514 [IEShims.dll] (C:\Program Files (x86)\Internet Explorer\IEShims.dll)
0x74f30000 | 0x74f3e000 | 0x0000e000 | False | True | True | True | True | 8.0.7600.16385 [pngfilt.dll] (C:\Windows\SysWOW64\pngfilt.dll)
-----------------------------------------------------------------------------------------------------------------------------------------
[+] This mona.py action took 0:00:00.468000
有了吧!!!!!!!!