windbg支持mona脚本

最新推荐文章于 2021-11-19 14:52:53 发布
最新推荐文章于 2021-11-19 14:52:53 发布
阅读量845 收藏
点赞数
分类专栏: windbg
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xiaohua_de/article/details/78058303
版权

本在在windbg扩展python脚本文章中进行扩展


一 环境搭配

 把mona.py 和windbglib.py 放置到windbg到安装目录


二  运行windbg ,attach到进程

 

1:006> .load pykd.pyd
1:006> !py mona

** Warning, no symbol path set ! ** 
   I'll set the symbol path to srv*c:\symbols*http://msdl.microsoft.com/download/symbols
   Symbol path set, now reloading symbols...
   All set. Please restart WinDBG.

Hold on...
[+] Command used:
!py mona.py
     'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit)
     Plugin version : 2.0 r577
     PyKD version 0.2.0.29
     Written by Corelan - https://www.corelan.be
     Project page : https://github.com/corelan/mona
    |------------------------------------------------------------------|
    |                         __               __                      |
    |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
    |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
    | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
    | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
    |                                                                  |
    |     https://www.corelan.be | https://www.corelan-training.com    |
    |------------------------------------------------------------------|

Global options :
----------------
You can use one or more of the following global options on any command that will perform
a search in one or more modules, returning a list of pointers :
 -n                     : Skip modules that start with a null byte. If this is too broad, use
                          option -cp nonull instead
 -o                     : Ignore OS modules
 -p <nr>                : Stop search after <nr> pointers.
 -m <module,module,...> : only query the given modules. Be sure what you are doing !
                          You can specify multiple modules (comma separated)
                          Tip : you can use -m *  to include all modules. All other module criteria will be ignored
                          Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
                          blah or *blah* = contains blah
 -cm <crit,crit,...>    : Apply some additional criteria to the modules to query.
                          You can use one or more of the following criteria :
                          aslr,safeseh,rebase,nx,os
                          You can enable or disable a certain criterium by setting it to true or false
                          Example :  -cm aslr=true,safeseh=false
                          Suppose you want to search for p/p/r in aslr enabled modules, you could call
                          !mona seh -cm aslr
 -cp <crit,crit,...>    : Apply some criteria to the pointers to return
                          Available options are :
                          unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
                          Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
 -cpb '\x00\x01'        : Provide list with bad chars, applies to pointers
                          You can use .. to indicate a range of bytes (in between 2 bad chars)
 -x <access>            : Specify desired access level of the returning pointers. If not specified,
                          only executable pointers will be returned.
                          Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *

Usage :
-------

 !mona <command> <parameter>

Available commands and parameters :

? / eval             | Evaluate an expression
allocmem / alloc     | Allocate some memory in the process
assemble / asm       | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf       | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba       | Creates a byte array, can be used to find bad characters
changeacl / ca       | Change the ACL of a given page
compare / cmp        | Compare contents of a binary file with a copy in memory
config / conf        | Manage configuration file (mona.ini)
copy / cp            | Copy bytes from one location to another
dump                 | Dump the specified range of memory to a file
dumplog / dl         | Dump objects present in alloc/free log file
dumpobj / do         | Dump the contents of an object
egghunter / egg      | Create egghunter code
encode / enc         | Encode a series of bytes
filecompare / fc     | Compares 2 or more files created by mona using the same output commands
fillchunk / fchunk   | Fill a heap chunk referenced by a register
find / f             | Find bytes in memory
findmsp / findmsf    | Find cyclic pattern in memory
findwild / fw        | Find instructions in memory, accepts wildcards
flow / flw           | Simulate execution flows, including all branch combinations
fwptr / fwp          | Find Writeable Pointers that get called
geteat / eat         | Show EAT of selected module(s)
getiat / iat         | Show IAT of selected module(s)
getpc                | Show getpc routines for specific registers
gflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag
header               | Read a binary file and convert content to a nice 'header' string
heap                 | Show heap related information
help                 | show help
hidedebug / hd       | Attempt to hide the debugger
info                 | Show information about a given address in the context of the loaded application
infodump / if        | Dumps specific parts of memory to file
jmp / j              | Find pointers that will allow you to jump to a register
jop                  | Finds gadgets that can be used in a JOP exploit
kb / kb              | Manage Knowledgebase data
modules / mod        | Show all loaded modules and their properties
noaslr               | Show modules that are not aslr or rebased
nosafeseh            | Show modules that are not safeseh protected
nosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased
offset               | Calculate the number of bytes between two addresses
pageacl / pacl       | Show ACL associated with mapped pages
pattern_create / pc  | Create a cyclic pattern of a given size
pattern_offset / po  | Find location of 4 bytes in a cyclic pattern
peb / peb            | Show location of the PEB
rop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh                  | Find pointers to assist with SEH overwrite exploits
sehchain / exchain   | Show the current SEH chain
skeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot           | Finds stackpivots (move stackpointer to controlled area)
stacks               | Show all stacks for all threads in the running application
string / str         | Read or write a string from/to memory
suggest              | Suggest an exploit buffer structure
teb / teb            | Show TEB related information
tobp / 2bp           | Generate WinDBG syntax to create a logging breakpoint at given location
unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
update / up          | Update mona to the latest version

Want more info about a given command ?  Run !mona help

然后就可以使用了。比如想查看那些模块没有开启SafeSEH,ASLR: 

1:006> !py mona mod
Hold on...
[+] Command used:
!py mona.py mod

---------- Mona command started on 2017-09-21 23:49:26 (v2.0, rev 577) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
-----------------------------------------------------------------------------------------------------------------------------------------
 Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
 Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
 0x731b0000 | 0x73340000 | 0x00190000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [gdiplus.dll] (C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll)
 0x76800000 | 0x76910000 | 0x00110000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
 0x75470000 | 0x754f0000 | 0x00080000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [UxTheme.dll] (c:\windows\SysWOW64\UxTheme.dll)
 0x755d0000 | 0x755dc000 | 0x0000c000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [CRYPTBASE.dll] (C:\Windows\syswow64\CRYPTBASE.dll)
 0x77a80000 | 0x77c00000 | 0x00180000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ntdll.dll] (ntdll.dll)
 0x77660000 | 0x77679000 | 0x00019000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [sechost.dll] (C:\Windows\SysWOW64\sechost.dll)
 0x767e0000 | 0x767ea000 | 0x0000a000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [LPK.dll] (C:\Windows\syswow64\LPK.dll)
 0x007b0000 | 0x00870000 | 0x000c0000 | False  | True    | True  |  True    | False  | 6.1.7601.17514 [calc.exe] (calc.exe)
 0x772d0000 | 0x7736d000 | 0x0009d000 | False  | True    | True  |  True    | True   | 1.626.7601.17514 [USP10.dll] (C:\Windows\syswow64\USP10.dll)
 0x755e0000 | 0x75640000 | 0x00060000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SspiCli.dll] (C:\Windows\syswow64\SspiCli.dll)
 0x76d20000 | 0x76e7c000 | 0x0015c000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ole32.dll] (C:\Windows\syswow64\ole32.dll)
 0x77090000 | 0x770e7000 | 0x00057000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SHLWAPI.dll] (C:\Windows\syswow64\SHLWAPI.dll)
 0x76ab0000 | 0x76bb0000 | 0x00100000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [USER32.dll] (C:\Windows\syswow64\USER32.dll)
 0x77370000 | 0x773ff000 | 0x0008f000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\syswow64\OLEAUT32.dll)
 0x75790000 | 0x763da000 | 0x00c4a000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\syswow64\SHELL32.dll)
 0x76430000 | 0x76520000 | 0x000f0000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [RPCRT4.dll] (C:\Windows\syswow64\RPCRT4.dll)
 0x744e0000 | 0x7467e000 | 0x0019e000 | False  | True    | True  |  True    | True   | 6.10.7601.17514 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll)
 0x75640000 | 0x75686000 | 0x00046000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
 0x75340000 | 0x75349000 | 0x00009000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [VERSION.dll] (c:\windows\SysWOW64\VERSION.dll)
 0x74ff0000 | 0x75022000 | 0x00032000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [WINMM.dll] (c:\windows\SysWOW64\WINMM.dll)
 0x775d0000 | 0x77660000 | 0x00090000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [GDI32.dll] (C:\Windows\syswow64\GDI32.dll)
 0x76e80000 | 0x76f2c000 | 0x000ac000 | False  | True    | True  |  True    | True   | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\syswow64\msvcrt.dll)
 0x77180000 | 0x77220000 | 0x000a0000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ADVAPI32.dll] (C:\Windows\syswow64\ADVAPI32.dll)
-----------------------------------------------------------------------------------------------------------------------------------------


[+] This mona.py action took 0:00:00.203000

很遗憾,都开启了。

让他加载一些dll再试试


0:013> !py mona mod
Hold on...
[+] Command used:
!py mona.py mod

---------- Mona command started on 2017-09-21 23:52:18 (v2.0, rev 577) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
-----------------------------------------------------------------------------------------------------------------------------------------
 Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
 Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
 0x7c340000 | 0x7c396000 | 0x00056000 | False  | False   | False |  False   | False  | 7.10.3052.4 [MSVCR71.dll] (C:\Program Files (x86)\Java\jre6\bin\MSVCR71.dll)
 0x71650000 | 0x720d0000 | 0x00a80000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [IEFRAME.dll] (C:\Windows\system32\IEFRAME.dll)
 0x731b0000 | 0x73340000 | 0x00190000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [gdiplus.dll] (C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll)
 0x6d430000 | 0x6d43d000 | 0x0000d000 | False  | False   | False |  False   | False  | 6.0.370.6 [jp2ssv.dll] (C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll)
 0x77490000 | 0x775c6000 | 0x00136000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [urlmon.dll] (C:\Windows\syswow64\urlmon.dll)
 0x74ba0000 | 0x74bbc000 | 0x0001c000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [iphlpapi.DLL] (C:\Windows\system32\iphlpapi.DLL)
 0x736f0000 | 0x73ca7000 | 0x005b7000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [mshtml.dll] (C:\Windows\SysWOW64\mshtml.dll)
 0x73cb0000 | 0x73cfc000 | 0x0004c000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [apphelp.dll] (C:\Windows\system32\apphelp.dll)
 0x76bf0000 | 0x76d0d000 | 0x0011d000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [CRYPT32.dll] (C:\Windows\syswow64\CRYPT32.dll)
 0x76bb0000 | 0x76bbc000 | 0x0000c000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [MSASN1.dll] (C:\Windows\syswow64\MSASN1.dll)
 0x6d730000 | 0x6d77f000 | 0x0004f000 | False  | False   | False |  False   | False  | 6.0.370.6 [ssv.dll] (C:\Program Files (x86)\Java\jre6\bin\ssv.dll)
 0x76800000 | 0x76910000 | 0x00110000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
 0x76e80000 | 0x76f2c000 | 0x000ac000 | False  | True    | True  |  True    | True   | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\syswow64\msvcrt.dll)
 0x755d0000 | 0x755dc000 | 0x0000c000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [CRYPTBASE.dll] (C:\Windows\syswow64\CRYPTBASE.dll)
 0x75070000 | 0x7509a000 | 0x0002a000 | False  | True    | True  |  True    | True   | 3.10.349.0 [msls31.dll] (C:\Windows\SysWOW64\msls31.dll)
 0x75350000 | 0x75363000 | 0x00013000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [dwmapi.dll] (C:\Windows\system32\dwmapi.dll)
 0x77a80000 | 0x77c00000 | 0x00180000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ntdll.dll] (C:\Windows\SysWOW64\ntdll.dll)
 0x74920000 | 0x7494b000 | 0x0002b000 | False  | True    | True  |  True    | False  | 8.0.7601.17514 [ieproxy.dll] (C:\Program Files (x86)\Internet Explorer\ieproxy.dll)
 0x77660000 | 0x77679000 | 0x00019000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [sechost.dll] (C:\Windows\SysWOW64\sechost.dll)
 0x74c10000 | 0x74c4c000 | 0x0003c000 | False  | True    | True  |  True    | True   | 7.0.0.0 [OLEACC.dll] (C:\Windows\system32\OLEACC.dll)
 0x74cc0000 | 0x74ccb000 | 0x0000b000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [ImgUtil.dll] (C:\Windows\system32\ImgUtil.dll)
 0x767e0000 | 0x767ea000 | 0x0000a000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [LPK.dll] (C:\Windows\syswow64\LPK.dll)
 0x76520000 | 0x7671b000 | 0x001fb000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [iertutil.dll] (C:\Windows\syswow64\iertutil.dll)
 0x772d0000 | 0x7736d000 | 0x0009d000 | False  | True    | True  |  True    | True   | 1.626.7601.17514 [USP10.dll] (C:\Windows\syswow64\USP10.dll)
 0x75690000 | 0x75785000 | 0x000f5000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [WININET.dll] (C:\Windows\syswow64\WININET.dll)
 0x75330000 | 0x75337000 | 0x00007000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [WINNSI.DLL] (C:\Windows\system32\WINNSI.DLL)
 0x755e0000 | 0x75640000 | 0x00060000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SspiCli.dll] (C:\Windows\syswow64\SspiCli.dll)
 0x77a50000 | 0x77a55000 | 0x00005000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [PSAPI.DLL] (C:\Windows\syswow64\PSAPI.DLL)
 0x76760000 | 0x76772000 | 0x00012000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [DEVOBJ.dll] (C:\Windows\syswow64\DEVOBJ.dll)
 0x76d20000 | 0x76e7c000 | 0x0015c000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ole32.dll] (C:\Windows\syswow64\ole32.dll)
 0x77090000 | 0x770e7000 | 0x00057000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SHLWAPI.dll] (C:\Windows\syswow64\SHLWAPI.dll)
 0x74b10000 | 0x74b26000 | 0x00016000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [CRYPTSP.dll] (C:\Windows\system32\CRYPTSP.dll)
 0x76ab0000 | 0x76bb0000 | 0x00100000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [USER32.dll] (C:\Windows\syswow64\USER32.dll)
 0x74d30000 | 0x74d60000 | 0x00030000 | False  | True    | True  |  True    | True   | 8.0.7601.17514 [iepeers.dll] (C:\Windows\SysWOW64\iepeers.dll)
 0x77430000 | 0x77490000 | 0x00060000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
 0x77220000 | 0x7729b000 | 0x0007b000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [comdlg32.dll] (C:\Windows\syswow64\comdlg32.dll)
 0x75180000 | 0x751ae000 | 0x0002e000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [MLANG.dll] (C:\Windows\system32\MLANG.dll)
 0x74340000 | 0x743f2000 | 0x000b2000 | False  | True    | True  |  True    | True   | 5.8.7601.17514 [jscript.dll] (C:\Windows\SysWOW64\jscript.dll)
 0x74ad0000 | 0x74b0b000 | 0x0003b000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [rsaenh.dll] (C:\Windows\system32\rsaenh.dll)
 0x73f90000 | 0x74085000 | 0x000f5000 | False  | True    | True  |  True    | True   | 7.0.7601.17514 [propsys.dll] (C:\Windows\system32\propsys.dll)
 0x751b0000 | 0x751d1000 | 0x00021000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [ntmarta.dll] (C:\Windows\system32\ntmarta.dll)
 0x74e10000 | 0x74f0b000 | 0x000fb000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [windowscodecs.dll] (C:\Windows\SysWOW64\windowscodecs.dll)
 0x75470000 | 0x754f0000 | 0x00080000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [uxtheme.dll] (C:\Windows\system32\uxtheme.dll)
 0x75170000 | 0x7517b000 | 0x0000b000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [msimtf.dll] (C:\Windows\system32\msimtf.dll)
 0x77370000 | 0x773ff000 | 0x0008f000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\syswow64\OLEAUT32.dll)
 0x751e0000 | 0x751eb000 | 0x0000b000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [profapi.dll] (C:\Windows\system32\profapi.dll)
 0x75790000 | 0x763da000 | 0x00c4a000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\syswow64\SHELL32.dll)
 0x76430000 | 0x76520000 | 0x000f0000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [RPCRT4.dll] (C:\Windows\syswow64\RPCRT4.dll)
 0x76720000 | 0x76755000 | 0x00035000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ws2_32.DLL] (C:\Windows\syswow64\ws2_32.DLL)
 0x76f30000 | 0x76fb3000 | 0x00083000 | False  | True    | True  |  True    | True   | 2001.12.8530.16385 [CLBCatQ.DLL] (C:\Windows\syswow64\CLBCatQ.DLL)
 0x744e0000 | 0x7467e000 | 0x0019e000 | False  | True    | True  |  True    | True   | 6.10.7601.17514 [comctl32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll)
 0x744e0000 | 0x7467e000 | 0x0019e000 | False  | True    | True  |  True    | True   | 6.10.7601.17514 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll)
 0x76d10000 | 0x76d13000 | 0x00003000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [Normaliz.dll] (C:\Windows\syswow64\Normaliz.dll)
 0x767f0000 | 0x767f6000 | 0x00006000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [NSI.dll] (C:\Windows\syswow64\NSI.dll)
 0x763e0000 | 0x76425000 | 0x00045000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [WLDAP32.dll] (C:\Windows\syswow64\WLDAP32.dll)
 0x76fc0000 | 0x7708c000 | 0x000cc000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\syswow64\MSCTF.dll)
 0x75640000 | 0x75686000 | 0x00046000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
 0x73f30000 | 0x73f8f000 | 0x0005f000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SXS.DLL] (C:\Windows\system32\SXS.DLL)
 0x74ac0000 | 0x74ace000 | 0x0000e000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [RpcRtRemote.dll] (C:\Windows\system32\RpcRtRemote.dll)
 0x772a0000 | 0x772c7000 | 0x00027000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [CFGMGR32.dll] (C:\Windows\syswow64\CFGMGR32.dll)
 0x775d0000 | 0x77660000 | 0x00090000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [GDI32.dll] (C:\Windows\syswow64\GDI32.dll)
 0x74bc0000 | 0x74c04000 | 0x00044000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [dnsapi.DLL] (C:\Windows\system32\dnsapi.DLL)
 0x00f20000 | 0x00fc6000 | 0x000a6000 | False  | True    | True  |  False   | False  | 8.0.7601.17514 [iexplore.exe] (C:\Program Files (x86)\Internet Explorer\iexplore.exe)
 0x74cd0000 | 0x74d21000 | 0x00051000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [WINSPOOL.DRV] (C:\Windows\SysWOW64\WINSPOOL.DRV)
 0x75340000 | 0x75349000 | 0x00009000 | False  | True    | True  |  True    | True   | 6.1.7600.16385 [VERSION.dll] (C:\Windows\system32\VERSION.dll)
 0x77180000 | 0x77220000 | 0x000a0000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [ADVAPI32.dll] (C:\Windows\syswow64\ADVAPI32.dll)
 0x76910000 | 0x76aad000 | 0x0019d000 | False  | True    | True  |  True    | True   | 6.1.7601.17514 [SETUPAPI.dll] (C:\Windows\syswow64\SETUPAPI.dll)
 0x75130000 | 0x75165000 | 0x00035000 | False  | True    | True  |  True    | False  | 8.0.7601.17514 [IEShims.dll] (C:\Program Files (x86)\Internet Explorer\IEShims.dll)
 0x74f30000 | 0x74f3e000 | 0x0000e000 | False  | True    | True  |  True    | True   | 8.0.7600.16385 [pngfilt.dll] (C:\Windows\SysWOW64\pngfilt.dll)
-----------------------------------------------------------------------------------------------------------------------------------------


[+] This mona.py action took 0:00:00.468000

有了吧!!!!!!!!


iihacker_cat
关注
专栏目录
CVE-2013-4730分析学习·2·Mona+Windbg 配合
黑夜黎明
06-04 532
Mona+Windbg 配合挖洞  环境配置 1·安装windbg 2·安装Python2.7 3·安装Visual C++ 2008运行库 4·安装Windbg的Python插件“Pykd” 5·将“mona.py”与"windbglib.py"放到windbg.exe同级目录下 6·配置Windbg符号包 1·输入命令 运行mona .load pykd.pkd !py mona mona...
如何在Windbg中安装mona
唐风的风
11-18 5071
如何在Windbg中安装mona 01 问题描述 在Windows的Windbg中安装Mona 环境要求 检查是否安装了Windbg 检查是否安装Python2.x 1.Mona.py—放入Windbg.exe文件夹下 2.pykd.pyd—WinDbg的Python插件 3.windbglib.py—放入Windbg.exe文件夹下 02 解决步骤 2.1 安装和检查Python2.x环境并确保安装了Windbg 没装的安装好相关版本的python Win+R 输入cmd,输入pytho
mona for windbg
05-19
mona属于windbg的一个插件,是辅助exploit的工具,支持immdbg和windbg,并且支持JOP gadgets查找。
mona.py直接就可以用
11-14
mona.py官网最新资源。 ### Immunity Debugger 1. drop mona.py into the 'PyCommands' folder (inside the Immunity Debugger application folder). 2. install Python 2.7.14 (or a higher 2.7.xx version) into c:\python27, thus overwriting the version that was bundled with Immunity. This is needed to avoid TLS issues when trying to update mona.
mona-master.zip
05-13
mona.py。这是由corelan team整合的一个可以自动构造Rop Chain而且集成了metasploit计算偏移量功能的强大挖洞辅助插件
windbg扩展python脚本
nethm的专栏
09-21 1579
我们都知道windbg可以使用扩展命令,扩展命令的实现是通过动态加载扩展的DLL文件。命令格式为![扩展模块名字].[参数],系统已经帮助我们加载了好多扩展模块, 比如调试网络的ndiskd.dll ,64位windbg调试32程序的wow64exts.dll 。 同样我们也可以使用自己的扩展模块,比如python脚本,这样以来就可以对PEB 线程 堆栈进行一些复杂的操作,windbg+灵
mona:mona.py 的 Corelan 存储库
07-24
Mona.py 是一个 Python 脚本,可用于在开发漏洞利用(通常用于 Windows 平台)时自动执行和加速特定搜索。 它在 Immunity Debugger 和 WinDBG 上运行,需要 python 2.7。 尽管它在 WinDBG x64 中运行,但它的大部分...
Immunity Debugger中安装mona
唐风的风
11-19 3923
01 问题描述 如何在Immunity Debugger安装mona 1.1 背景 之前为了使用mona而在Windbg中进行配置.但是安装和配置过程相对繁琐了一些,今天刚知道了一个调试器Immunity Debugger,与其他调试器相比这个调试器支持很多Pyhthon的脚本,比较方便用于漏洞调试研究,号称漏洞调试的瑞士军刀,特别是mona的强大功能.而且安装也极其方便,特此记录一下. 1.2 所需资源 Immunity Debugger调试器 官网链接 mona.py 资源链接
使用Mona插件辅助漏洞挖掘
weixin_42486644的博客
06-20 3852
Mona是Corelan Team团队开发的一个用Python编写的专门用于辅助漏洞挖掘的脚本插件,该插件可以再WinDbg上使用。使用流程:1.首先我们要安装WinDbg,因为WinDbg可使用此插件2.安装Python2.7.23.安装Visual C++ 2008的运行库4.安装WinDBg的Python插件“Pykd”5.将“mona.py”与“windbglib.py”放到WinDBG....
windbg支持python调用,自动分析rootkit
12-13
Windows 7, 64bit Download pykd.zip from https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip and save it to a temporary location on your computer Check the properties of the file and "Unblock" the file if necessary. Extract the archive. You should get 2 files: pykd.pyd and vcredist_x86.exe Run vcredist_x86.exe with administrator privileges and accept the default values. Copy pykd.pyd to C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winext Open a command prompt with administrator privileges and run the following commands: c: cd "C:\Program Files (x86)\Common Files\Microsoft Shared\VC" regsvr32 msdia90.dll (You should get a messagebox indicating that the dll was registered successfully) Download windbglib.py from https://github.com/corelan/windbglib/raw/master/windbglib.py Save the file under C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86 ("Unblock" the file if necessary) Download mona.py from https://github.com/corelan/mona/raw/master/mona.py Save the file under C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86 ("Unblock" the file if necessary)
python for windbg
boywhp的专栏
06-05 1113
https://pykd.codeplex.com/
windbg 使用python寻找寄存器的值
linux_vae的专栏
08-24 1092
1.推荐一个插件blwdbgue.dll 用来标记相同地址或者寄存器安装pykd,具体可以参照其他博客上次写到利用非挥发性寄存器寻找一些参数或者变量:windbg 调试bug因为每个函数调用修改非挥发性寄存器都会push和pop,所以我们利用python来找到那个帧里面修改了寄存器。from pykd import * from sys import argvkbn=dbgCommand('kbn'
python debugger extension_Pykd——Python extension for WinDbg
weixin_34183908的博客
02-02 511
在使用windbg脚本的时候,感觉很不方便。有时候想根据断点触发时的栈信息判断是否需要继续,但是没法定义变量来获取那些值,即便使用$tn和$un之类的伪变量获取那些值也很难进行复杂的判断或者运算。所以还是需要有更灵活的语言来辅助,所以找到了Pykd,虽然Immunity可以取代它,但有时不得不用windbg,接下来就让我们来学习下这个插件。一、安装从官网(https://pykd.codeplex...
用于windbg检查文件是否匹配的python脚本
十八进
07-25 1121
checkfile.py # -*- coding: utf-8 -*- import sys import os from pykd import * from ctypes import * MAX_PATH = 260 FILE_PATH = 'C:\\Program Files (x86)\\Cisco Systems\\Cisco Jabber\\'
用于windbg检查堆是否被破坏的python脚本
十八进
05-08 1157
需要安装pykd import sys from pykd import * def check_heap(): heapliststring = dbgCommand('!heap') for heapstring in heapliststring.split('\n'): if heapstring.find(':') == -1:    contin
windbg安装mona.py
Catch me if you can
04-22 6208
windbg 安装mona 主要是提供下载链接,方便将来重新安装虚拟机。
exploit - mona.py - the manual
Nixawk
02-27 3651
mona.pyInstall mona.pyPut mona.py into C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands Basic usageOpen Immunity Debugger. At the bottom of the application you should see an input box (comm
安装与配置windbg的symbol(符号)
weixin_33675507的博客
02-24 3240
本篇是新手自己写的一点心得.建议新手看看.同时希望前辈多多指教. 写这篇的动机:在网上找了一上午的windbg配置符号教程.楞是没找到详细的,都讲的太 模糊而且互相抄袭.不适合新手看.终于靠自己的努力弄懂了一点,呵呵写出来新手们分 享. 安装与配置windbg的symbol(符号) 第一步 是从 http://www.microsoft.com/ddk/debugg...
windbg支持win10
最新发布
08-20
然而,Windbg并不仅仅支持Win10,它也可以在其他版本的Windows上使用。 Windbg最早是作为Microsoft的开发工具集合中的一部分,支持分析所有版本的Windows操作系统。它可以在Windows XP、Windows 7、Windows 8和...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值