exploit - mona.py - the manual
来源:互联网 发布:apriori算法java实现 编辑:程序博客网 时间:2024/06/11 14:56
mona.py
Install mona.py
Put mona.py into
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommandsBasic usage
Open Immunity Debugger. At the bottom of the application you should see an input box (command bar), Enter !mona and press return.
Open the log window (ALT-L) and you should get a full page of information about mona (options and commands).
0BADF00D [+] Command used:0BADF00D !mona0BADF00D 'mona' - Exploit Development Swiss Army Knife - Immunity Debugger (32bit)0BADF00D Plugin version : 2.0 r5540BADF00D Written by Corelan - https://www.corelan.be0BADF00D Project page : https://github.com/corelan/mona .##.....##..#######..##....##....###........########..##....## .###...###.##.....##.###...##...##.##.......##.....##..##..##. .####.####.##.....##.####..##..##...##......##.....##...####.. .##.###.##.##.....##.##.##.##.##.....##.....########.....##... .##.....##.##.....##.##..####.#########.....##...........##... .##.....##.##.....##.##...###.##.....##.###.##...........##... .##.....##..#######..##....##.##.....##.###.##...........##...0BADF00D Global options :0BADF00D ----------------0BADF00D You can use one or more of the following global options on any command that will perform0BADF00D a search in one or more modules, returning a list of pointers :0BADF00D -n : Skip modules that start with a null byte. If this is too broad, use0BADF00D option -cm nonull instead0BADF00D -o : Ignore OS modules0BADF00D -p <nr> : Stop search after <nr> pointers.0BADF00D -m <module,module,...> : only query the given modules. Be sure what you are doing !0BADF00D You can specify multiple modules (comma separated)0BADF00D Tip : you can use -m * to include all modules. All other module criteria will be ignored0BADF00D Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,0BADF00D blah or *blah* = contains blah0BADF00D -cm <crit,crit,...> : Apply some additional criteria to the modules to query.0BADF00D You can use one or more of the following criteria :0BADF00D aslr,safeseh,rebase,nx,os0BADF00D You can enable or disable a certain criterium by setting it to true or false0BADF00D Example : -cm aslr=true,safeseh=false0BADF00D Suppose you want to search for p/p/r in aslr enabled modules, you could call0BADF00D !mona seh -cm aslr0BADF00D -cp <crit,crit,...> : Apply some criteria to the pointers to return0BADF00D Available options are :0BADF00D unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev0BADF00D Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit0BADF00D -cpb '\x00\x01' : Provide list with bad chars, applies to pointers0BADF00D You can use .. to indicate a range of bytes (in between 2 bad chars)0BADF00D -x <access> : Specify desired access level of the returning pointers. If not specified,0BADF00D only executable pointers will be return.0BADF00D Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or * Usage : -------0BADF00D !mona <command> <parameter> Available commands and parameters : ? / eval | Evaluate an expression assemble / asm | Convert instructions to opcode. Separate multiple instructions with # bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointers breakfunc / bf | Set a breakpoint on an exported function in on or more dll's breakpoint / bp | Set a memory breakpoint on read/write or execute of a given address bytearray / ba | Creates a byte array, can be used to find bad characters calltrace / ct | Log all CALL instructions compare / cmp | Compare contents of a binary file with a copy in memory config / conf | Manage configuration file (mona.ini) copy / cp | Copy bytes from one location to another deferbp / bu | Set a deferred breakpoint dump | Dump the specified range of memory to a file egghunter / egg | Create egghunter code encode / enc | Encode a series of bytes filecompare / fc | Compares 2 or more files created by mona using the same output commands find / f | Find bytes in memory findmsp / findmsf | Find cyclic pattern in memory findwild / fw | Find instructions in memory, accepts wildcards fwptr / fwp | Find Writeable Pointers that get called geteat / eat | Show EAT of selected module(s) getiat / iat | Show IAT of selected module(s) getpc | Show getpc routines for specific registers gflags / gf | Show current GFlags settings from PEB.NtGlobalFlag header | Read a binary file and convert content to a nice 'header' string heap | Show heap related information help | show help hidedebug / hd | Attempt to hide the debugger info | Show information about a given address in the context of the loaded application infodump / if | Dumps specific parts of memory to file jmp / j | Find pointers that will allow you to jump to a register jop | Finds gadgets that can be used in a JOP exploit kb / kb | Manage Knowledgebase data modules / mod | Show all loaded modules and their properties noaslr | Show modules that are not aslr or rebased nosafeseh | Show modules that are not safeseh protected nosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebased offset | Calculate the number of bytes between two addresses pageacl / pacl | Show ACL associated with mapped pages pattern_create / pc | Create a cyclic pattern of a given size pattern_offset / po | Find location of 4 bytes in a cyclic pattern peb / peb | Show location of the PEB rop | Finds gadgets that can be used in a ROP exploit and do ROP magic with them ropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain seh | Find pointers to assist with SEH overwrite exploits sehchain / exchain | Show the current SEH chain skeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit stackpivot | Finds stackpivots (move stackpointer to controlled area) stacks | Show all stacks for all threads in the running application string / str | Read or write a string from/to memory suggest | Suggest an exploit buffer structure teb / teb | Show TEB related information unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow update / up | Update mona to the latest version0BADF00D0BADF00D Want more info about a given command ? Run !mona help <command>0BADF00DKeeping mona.py up-to-date
Before using mona, I strongly recommend making sure you are running the latest version. If you are using the stable release, you won’t see updates that often (new version releases are often announced on twitter or Google+).
If you are using the trunk release of mona.py, you might want to update on a regular (daily) basis.
Updating is very simple. Make sure your device has access to redmine.corelan.be (https or http) and run
!mona upBy default, a connection is made to https://redmine.corelan.be. If, for whatever reason, you are unable to use https, you can use the -http switch to force the use of http:
!mona up -httpStarting from mona.py v1.1 you can switch between stable and trunk releases, by using the -t option.
So, if you are running trunk and you want to change to release, run
!mona up -t releaseif you want to switch to the latest trunk version, run
!mona up -t trunkCommands
assemble / asm
The “assemble” command allows you to convert one or more assembly instructions into opcode.
0BADF00D Usage of command 'asm' :0BADF00D ------------------------- Convert instructions to opcode. Separate multiple instructions with #. Mandatory argument : -s <instructions> : the sequence of instructions to assemble to opcodeFor Example, we can get “jmp esp” opcode.
!mona assemble -s "jmp esp"!mona asm -s "jmp esp"0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:000BADF00D [+] Command used:0BADF00D !mona assemble -s "jmp esp"0BADF00D Opcode results :0BADF00D ----------------0BADF00D jmp esp = \xff\xe40BADF00D Full opcode : \xff\xe40BADF00D0BADF00D [+] This mona.py action took 0:00:00.010000bpseh / sehbp
Set a breakpoint on all current SEH Handler function pointers
!mona bpseh!mona sehbpbreakfunc / bf
Set a breakpoint on an exported function in or more dll’s.
0BADF00D Usage of command 'breakfunc' :0BADF00D ------------------------------- Set a breakpoint on exported or imported function(s) of the selected modules. Mandatory argument : -t <type> : type of breakpoint action. Can be 'add', 'del' or 'list' Optional arguments : -f <function type> : set to 'import' or 'export' to read IAT or EAT. Default : export -s <func,func,func> : specify function names. If you want a bp on all functions, set -s to *0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:00we can get all export or import functions, for example:
!mona breakfunc -t list -f export -s *!mona breakfunc -t list -f import -s *we can do the same things with the commands:
!mona geteat!mona getiatbreakpoint / bp
Set a memory breakpoint on read/write or execute of a given address.
0BADF00D Usage of command 'breakpoint' :0BADF00D -------------------------------- Set a breakpoint when a given address is read from, written to or executed Mandatory arguments : -a <address> : the address where to set the breakpoint (absolute address / register / modulename!functionname) -t <type> : type of the breakpoint, can be READ, WRITE or SFX0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:00set a READ breakpoint for demo.
0BADF00D !mona breakpoint -a 0x00437869 -t READ0BADF00D Breakpoint set on READ of 0x004378690BADF00D0BADF00D [+] This mona.py action took 0:00:00.01000000437869 [02:39:59] Memory breakpoint when executing [00437869]What’s the different between READ breakpoint and WRITE or SFX breakpoint ?
bytearray / ba
The “bytearray” option was implemented to assist exploit developers when finding bad chars. It will produce an array with all bytes between \x00 and \xff (except for the ones that you excluded), and writes the array to 2 files.
- a text file containging the array in ascii format (bytearray.txt)
- a binary file containging the same array (bytearray.bin)
Optional arguments:
- -cpb : exclude these bytes from the array.
- -r: show the array in reverse (starting at \xff, end at \x00)
For example:
0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:000BADF00D [+] Command used:0BADF00D !mona bytearray0BADF00D Generating table, excluding 0 bad chars...0BADF00D Dumping table to file0BADF00D [+] Preparing output file 'bytearray.txt'0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\bytearray.txt "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"0BADF00D0BADF00D Done, wrote 256 bytes to file C:\logs\RM2MP3Converter\bytearray.txt0BADF00D Binary output saved in C:\logs\RM2MP3Converter\bytearray.bin0BADF00D0BADF00D [+] This mona.py action took 0:00:00.030000We believe finding bad chars is a mandatory step in the exploit writing process. Over the last few weeks and months, alot of people have asked use how to perform this task, so here are the steps to finding bad chars.
Let’s say your exploit structure (classic saved return pointer overwrite) looks like this:
[ 280 bytes of junk ] [ EIP ] [ 500 bytes (shellcode) ]We should try to make the process as reliable and smooth as possible, so we’ll have to make sure we’re not messing with the essential part of the payload, which is the part that should allow us to keep control over EIP.
We’ll keep the first 280 bytes and the 4 bytes (saved return pointer) intact. If we would change those and the first 280 bytes contain bad chars, then we might not even be able to control EIP anymore, making it very hard to debug and find bad chars.
We have a number of bytes available after overwriting saved return pointer. So that is the perfect location to put our array. It will make sure that we can make the application crash in a reliable way, allowing us to set a breakpoint on EIP and then compare the array of bytes in memory with the original array of bytes.
Before creating & using the byte array, you should ask yourself “what kind of bytes are very likely going to be breaking the payload or altering the behaviour of the application”. If, for example, the buffer overflow gets triggered because of a string copy function, it’s very likely that a null byte will break the payload. A carriage return/line feed (\x0a\x0d) are common bytes that would change the way the payload is read & processed by the application as well, so in case of a string based overflow, you’ll probably discover that those are bad chars too.
So let’s start with excluding those 3 bytes from the array. (Of course, this is all based on assumptions. If you want to be sure, don’t exclude anything from the array yet).
!mona bytearray -cpb '\x00\x0a\x0d'Open “bytearray.txt” and copy the array. Open your exploit and paste the array after overwriting EIP (so instead of the 500 bytes, put the array).
Then set the necessary breakpoints (at the pointer you will use to control EIP with in this case) and trigger the crash. Your breakpoint should be hit, and the byte array (or a portion of it) should be in memory somewhere.
The process of finding the bad chars is very simple. We can use another mona feature to read the original byte array from the binary file that was created, and compare those bytes with the array that is in memory at crash time.
Mona will then read the binary file, takes the first 8 bytes from the file, locates all instances of those 8 bytes in memory, and compare each of the bytes of the array with the bytes in memory, listing the ones that were not altered, and listing the ones that were changed/corrupted.
!mona compare -f bytearray.binAt this point, there are 2 things you should check in the output of this command :
Find the location (probably on the stack in this example) where EIP would jump to. If you are building an exploit for a saved return pointer overwrite, you will most likely find your payload at ESP. Look at ESP (or the location where your payload is) and jot down that address. Open compare.txt, look for that address and you will get the list of bytes that were corrupted. Corruption can result in 2 types of behaviour : either the byte gets changed (other bytes are still fine), or all bytes after the bad char are different. Either way, unless you know what you are doing, only write down the first byte that was changed and add that byte to the list of bad chars. Then repeat the entire process (create bytearray, paste array into exploit, trigger crash, compare). So, if you discovery that for example \x59 is a bad char too, simply run the bytearray command again :
!mona bytearray -cpb ‘\x00\x0a\x0d’
Repeat the entire process and do another compare. If the resulting array was found at the right location, unmodified, then you have determined all bad chars. If not, just find the next bad char, exclude it from the array and try again. The process might be time consuming, and there may even be better ways to do this, but this technique works just fine.
Look at other locations where your array was found. Maybe one of those locations have a non-corrupted copy of the array, providing you with an alternative location to place your shellcode without having to bother about bad chars. All you would need to do is write some jumpcode (or egghunter) to jump to that location.
View the video online here or blog here.
compare
We already discussed the basic functionality of “compare” in the documentation of previous command.
0BADF00D0BADF00D Usage of command 'compare' :0BADF00D ----------------------------- Compares contents of a binary file with locations in memory. Mandatory argument : -f <filename> : full path to binary file Optional argument : -a <address> : the exact address of the bytes in memory (address or register). If you don't specify an address, I will try to locate the bytes in memory by looking at the first 8 bytes. -s : skip locations that belong to a module -unicode : perform unicode search. Note: input should *not* be unicode, it will be expanded automatically0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:00You can use this command to find bad chars (as explained earlier), but you can also use it to see if your shellcode got corrupted in memory.
You could, for example, write tag+tag+shellcode (egghunter egg) to a binary file and use the compare command to find the eggs and show if they got corrupted or not. If some of them do, others don’t, you’ll know if and how you have to tweak the start location of the hunter, or just use a checksum routine.
calltrace
Log all CALL instructions
0BADF00D0BADF00D Usage of command 'calltrace' :0BADF00D ------------------------------- Logs all CALL instructions Mandatory arguments : -m module : specify what module to search for CALL instructions (global option) Optional arguments : -a <number> : number of arguments to show for each CALL -r : also trace RETN instructions (will slow down process!)0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:00config / conf
Manage configuration file (mona.ini).
0BADF00D Usage of command 'config' :0BADF00D ---------------------------- Change config of mona.py Available options are : -get <parameter>, -set <parameter> <value> or -add <parameter> <value_to_add> Valid parameters are : workingfolder, excluded_modules, author0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:00Set our current work directory as follow:
!mona config -set workingfolder C:\logs\%pcopy / cp
Copy bytes from one location to another.
0BADF00D Usage of command 'copy' :0BADF00D -------------------------- Copies bytes from one location to another. Arguments: -src <address> : The source address -dst <address> : The destination address -n <number> : The number of bytes to copy0BADF00D0BADF00Dwe can copy 0x10 bytes from 0x00446000 to 0x00446010.
!mona copy -src 0x00446000 -dst 0x00446010 -n 0x10deferbp / bu
Set a memory breakpoint on read/write or execute of a given address.
0BADF00D0BADF00D Usage of command 'deferbp' :0BADF00D ----------------------------- Set a deferred breakpoint Mandatory arguments : -a <target>,<target>,... target can be an address, a modulename.functionname or module.dll+offset (hex value) Warning, modulename.functionname is case sensitive !0BADF00Ddump
Dump the specified range of memory to a file
0BADF00D0BADF00D Usage of command 'dump' :0BADF00D -------------------------- Dump the specified memory range to a file. Either the end address or the size of buffer needs to be specified. Mandatory arguments : -s <address> : start address -f <filename> : the name of the file where to write the bytes Optional arguments: -n <size> : the number of bytes to copy (size of the buffer) -e <address> : the end address of the copy0BADF00Dwe can dump 1000 bytes from 0x00437854.
!mona dump -s 0x00437854 -f C:\logs\RM2MP3Converter\dump.bin -n 1000egghunter
Create egghunter code.
0BADF00D0BADF00D Usage of command 'egghunter' :0BADF00D ------------------------------- Creates an egghunter routine Optional arguments : -t : tag (ex: w00t). Default value is w00t -c : enable checksum routine. Only works in conjunction with parameter -f -f <filename> : file containing the shellcode -startreg <reg> : start searching at the address pointed by this reg -wow64 : generate wow64 egghunter. Default is traditional 32bit egghunter DEP Bypass options : -depmethod <method> : method can be "virtualprotect", "copy" or "copy_size" -depreg <reg> : sets the register that contains a pointer to the API function to bypass DEP. By default this register is set to ESI -depsize <value> : sets the size for the dep bypass routine -depdest <reg> : this register points to the location of the egghunter itself. When bypassing DEP, the egghunter is already marked as executable. So when using the copy or copy_size methods, the DEP bypass in the egghunter would do a "copy 2 self". In order to be able to do so, it needs a register where it can copy the shellcode to. If you leave this empty, the code will contain a GetPC routine.0BADF00D0BADF00DIf you don’t specify a file containing shellcode, it will simply produce a regular egghunter routine. If you specify a filename, you’ll have the ability to use option -c, which will insert a checksum routine for the shellcode in the file. The checksum routine will only work for that particular shellcode (or any other shellcode with the same size, producing the same checksum value :) )
Using the various -dep* parameters, you can tell the egghunter routine to create code that will bypass DEP on the found egg, before running it. You can find more information about this technique here.
encode / enc
Encode a series of bytes.
0BADF00D0BADF00D Usage of command 'enc' :0BADF00D ------------------------- Encode a series of bytes Arguments: -t <type> : Type of encoder to use. Allowed value(s) are alphanum -s <bytes> : The bytes to encode (or use -f instead) -f <path to file> : The full path to the binary file that contains the bytes to encode0BADF00Dfilecompare / fc
Compares 2 or more files created by mona using the same output commands.
0BADF00D Usage of command 'filecompare' :0BADF00D --------------------------------- Compares 2 or more files created by mona using the same output commands Make sure to use files that are created with the same version of mona and contain the output of the same mona command. Mandatory argument : -f "file1,file2,...filen" Put all filenames between one set of double quotes, and separate files with comma's. You can specify a foldername as well with -f, all files in the root of that folder will be part of the compare. Output will be written to filecompare.txt and filecompare_not.txt (not matching pointers) Optional parameters : -contains "INSTRUCTION" (will only list if instruction is found) -nostrict (will also list pointer is instructions don't match in all files) -range <number> : find overlapping ranges for all pointers + range. When using -range, the -contains and -nostrict options will be ignored -ptronly : only show matching pointers (slightly faster). Doesn't work when 'range' is used0BADF00DFor example:
!mona filecompare -f "C:\logs\RM2MP3Converter\pattern.txt.old","C:\logs\RM2MP3Converter\pattern.txt.old2"find
The “find” command has improved a lot since its initial implementation in pvefindaddr. It’s faster, but above all it’s more flexible and has a shiney new “recursive” search feature.
0BADF00D Usage of command 'find' :0BADF00D -------------------------- Find a sequence of bytes in memory. Mandatory argument : -s <pattern> : the sequence to search for. If you specified type 'file', then use -s to specify the file. This file needs to be a file created with mona.py, containing pointers at the begin of each line. Optional arguments: -type <type> : Type of pattern to search for : bin,asc,ptr,instr,file -b <address> : base/bottom address of the search range -t <address> : top address of the search range -c : skip consecutive pointers but show length of the pattern instead -p2p : show pointers to pointers to the pattern (might take a while !) this setting equals setting -level to 1 -level <number> : do recursive (p2p) searches, specify number of levels deep if you want to look for pointers to pointers, set level to 1 -offset <number> : subtract a value from a pointer at a certain level -offsetlevel <number> : level to subtract a value from a pointer -r <number> : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value. This value indicates the number of bytes to step backwards for each search -unicode : used in conjunction with search type asc, this will convert the search pattern to unicode first -ptronly : Only show the pointers, skip showing info about the pointer (slightly faster)0BADF00DBy default, “find” will look for all locations (accesslevel set to *). Furthermore, by default, it will search the entire memory space (including the memory space of modules that were excluded).
Example: Find all locations where the string “w00t” can be found:
!mona find -type asc -s "w00t"Example: Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p0BADF00D0BADF00D [+] This mona.py action took 0:00:000BADF00D [+] Command used:0BADF00D !mona find -type instr -s "jmp esp" -b 018F0000 -t 1DBD000 ---------- Mona command started on 2015-02-26 19:26:29 (v2.0, rev 554) ----------0BADF00D [+] Processing arguments and criteria0BADF00D - Pointer access level : *0BADF00D - Treating search pattern as instr0BADF00D [+] Searching from 0x018f0000 to 0x01dbd0000BADF00D [+] Preparing output file 'find.txt'0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\find.txt0BADF00D [+] Generating module info table, hang on...0BADF00D - Processing modules0BADF00D - Done. Let's rock 'n roll.0BADF00D [+] Writing results to C:\logs\RM2MP3Converter\find.txt0BADF00D - Number of pointers of type '"jmp esp"' : 130BADF00D [+] Results :01AE023F 0x01ae023f (b+0x001f023f) : "jmp esp" | {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01AFD3DB 0x01afd3db (b+0x0020d3db) : "jmp esp" | {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01AAF23A 0x01aaf23a (b+0x001bf23a) : "jmp esp" | {PAGE_EXECUTE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B1B22A 0x01b1b22a (b+0x0022b22a) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B1B72D 0x01b1b72d (b+0x0022b72d) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B1CD89 0x01b1cd89 (b+0x0022cd89) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B25C9E 0x01b25c9e (b+0x00235c9e) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B303D9 0x01b303d9 (b+0x002403d9) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B31400 0x01b31400 (b+0x00241400) : "jmp esp" | null {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B3736D 0x01b3736d (b+0x0024736d) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B3CE34 0x01b3ce34 (b+0x0024ce34) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B40159 0x01b40159 (b+0x00250159) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)01B42EC0 0x01b42ec0 (b+0x00252ec0) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)0BADF00D Found a total of 13 pointers0BADF00D0BADF00D [+] This mona.py action took 0:00:01.252000As we known, 0x01AAF23A is a good choice.
Example: Find All locations that have a pointer to any of the pointer in file c:\temp\seh.txt
!mona find -type file -s "c:\temp\seh.txt" -p2pExample : let’s say you control ECX, and your payload is at ESP+4
This is the code that will give you control over EIP :
MOV EAX,DWORD PTR DS:[ECX]CALL [EAX+58]The idea is to retun to the payload at ESP+4 to initiate a rop chain.
Think about it. What kind of pointer would we need to put in ECX ?
Answer : We need a pointer to a pointer(2), where pointer(2) – 0x58 points to a pointer to ADD ESP,4/RET.
For sure you find one manually. If you have time.
In order to instruct mona to find all pointers, you’ll need 2 commands :
One to find all stackpivots of 4One to find the ptr to ptr-0x58 to ptr to one of the stackpivotsSolution :
# first, get all stackpivots, save output to c:\logs\stackpivot.txt!mona config -set workingfolder c:\logs!mona stackpivot -distance 4,4# read the file and find ptr to ptr-58 to each of the pointers!mona find -type file -s "c:\logs\stackpivot.txt" -x * -offset 88 -level 2 -offsetlevel 2So basically, we need to apply the offset to level 2. (which is “look for ptr to ptr to ptr” in this case, because we already read ptr to the instructions into stackpivot).
Before looking for a pointer to a pointer in that level, the offset will be subtracted from the target pointer first.
Hint : in order to debug this routine, you’ll have to set a breakpoint on reading [ECX]. Suppose you put 7a10b473 in ECX, then – prior to triggering the bug – set a breakpoint on reading that location :
!mona bp -t READ -a 0x7a10b473findmsp
Find cyclic pattern in memory.
0BADF00D Usage of command 'findmsp' :0BADF00D ----------------------------- Finds begin of a cyclic pattern in memory, looks if one of the registers contains (is overwritten) with a cyclic pattern or points into a cyclic pattern. findmsp will also look if a SEH record is overwritten and finally, it will look for cyclic patterns on the stack, and pointers to cyclic pattern on the stack. Optional argument : -distance <value> : distance from ESP, applies to search on the stack. Default : search entire stack Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use0BADF00Dfindwild
Find instructions in memory, accept wildcards.
0BADF00D0BADF00D Usage of command 'findwild' :0BADF00D ------------------------------ Find instructions in memory, accepts wildcards : Mandatory arguments : -s <instruction#instruction#instruction> (separate instructions with #) Optional arguments : -b <address> : base/bottom address of the search range -t <address> : top address of the search range -depth <nr> : number of instructions to go deep -all : show all instruction chains, even if it contains something that might break the chain -distance min=nr,max=nr : you can use a numeric offset wildcard (a single *) in the first instruction of the search the distance parameter allows you to specify the range of the offset Inside the instructions string, you can use the following wildcards : * = any instruction r32 = any register Example : pop r32#*#xor eax,eax#*#pop esi#ret0BADF00DInstructions are separated with #. You can use * to indicate that you want to allow any instruction(s). You can also use r32 to indicate that you want to allow any register.
Example : Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn :
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"You can, of course, use any of the global options to finetune/limit the search.
Output will be written to findwild.txt.
fwptr / fp
Find Writeable Pointers that get called.
geteat ** / eat
Show EAT of selected module(s)
!mona eat!mona eat -s "32"getiat / iat
Show IAT of selected module(s)
!mona iat!mona iat -s "32"getpc
Show getpc routines for specific registers.
0BADF00D0BADF00D Usage of command 'getpc' :0BADF00D --------------------------- Find getpc routine for specific register Mandatory argument : -r : register (ex: eax)0BADF00D0BADF00D0BADF00D [+] This mona.py action took 0:00:000BADF00D [+] Command used:0BADF00D !mona getpc -r eax0BADF00D [+] Preparing output file 'getpc.txt'0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\getpc.txt eax| jmp short back: "\xeb\x03\x58\xff\xd0\xe8\xf8\xff\xff\xff" eax| call + 4: "\xe8\xff\xff\xff\xff\xc3\x58" eax| fstenv: "\xd9\xeb\x9b\xd9\x74\x24\xf4\x58"0BADF00D0BADF00D Wrote to file C:\logs\RM2MP3Converter\getpc.txt0BADF00Dgflags / gf
Show current GFlags settings from PEB.NtGlobalFlag.
0BADF00D0BADF00D [+] This mona.py action took 0:00:01.0720000BADF00D [+] Command used:0BADF00D !mona gflags0BADF00D [+] NtGlobalFlag: 0x000000700BADF00D 0x00000040 : +hpc - Enable Heap Parameter Checking0BADF00D 0x00000020 : +hfc - Enable Heap Free Checking0BADF00D 0x00000010 : +htc - Enable Heap Tail Checkingheader
Read a binary file and convert to a nice ‘header’ string.
!mona header -f "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe" -t pythonheap
Show heap related information.
0BADF00D0BADF00D Usage of command 'heap' :0BADF00D -------------------------- Show information about various heap chunk lists Mandatory arguments : -h <address> : base address of the heap to query -t <type> : where type is 'segments', 'chunks', 'layout', 'fea' (let mona determine the frontend allocator), 'lal' (force display of LAL FEA, only on XP/2003), 'lfh' (force display of LFH FEA (Vista/Win7/...)), 'bea' (backend allocator, mona will automatically determine what it is), 'all' (show all information) Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results. Optional arguments : -expand : Works only in combination with 'layout', will include VA/LFH/... chunks in the search. VA/LFH chunks may be very big, so this might slow down the search. -stat : show statistics (also works in combination with -h heap, -t segments or -t chunks -size <nr> : only show strings of at least the specified size. Works in combination with 'layout' -after <data> : only show current & next chunk layout entries when an entry contains this data (Only works in combination with 'layout') -v : show data / write verbose info to the Log window0BADF00Dhelp
show help
hidedebug / hd
Attempt to hide the debugger from the process.
info
Show information about a given address in the context of the loaded application.
0BADF00D !mona info -a 0x004378540BADF00D [+] Generating module info table, hang on...0BADF00D - Processing modules0BADF00D - Done. Let's rock 'n roll.0BADF00D [+] NtGlobalFlag: 0x000000700BADF00D 0x00000040 : +hpc - Enable Heap Parameter Checking0BADF00D 0x00000020 : +hfc - Enable Heap Free Checking0BADF00D 0x00000010 : +htc - Enable Heap Tail Checking0BADF00D0BADF00D [+] Information about address 0x00437854773D0000 Modules C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll0BADF00D startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}0BADF00D Address is part of page 0x00401000 - 0x0043c0000BADF00D Section : .text0BADF00D Address is part of a module:0BADF00D [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)0BADF00D Offset from module base: 0x378540BADF00D0BADF00D [+] Disassembly:0BADF00D Instruction at 00437854 : PUSH EBP0BADF00Dinfodump / if
Dumps contents of memory to file. Contents will include all pages that don’t belong to stack, heap or loaded modules.
Output will be written to infodump.xml
jmp / j
Find pointers that will allow you to a register.
!mona jmp -r espjop
Find gadgets that can be used in a JOP exploit.
kb
Manage Knowledgebase data.
0BADF00D0BADF00D Usage of command 'kb' :0BADF00D ------------------------ Manage knowledgebase data Mandatory arguments: -<type> : type can be 'list', 'set' or 'del' To 'set' ( = add / update ) a KB entry, or 'del' an entry, you will need to specify 2 additional arguments: -id <id> : the Knowledgebase ID -value <value> : the value to add/update. In case of lists, use a comma to separate entries. The -list parameter will show all current ID's To see the contents of a specific ID, use the -id <id> parameter.0BADF00Dmodules / mod
Show information about the loaded modules.
0BADF00D !mona modules ---------- Mona command started on 2015-02-26 21:19:37 (v2.0, rev 554) ----------0BADF00D [+] Processing arguments and criteria0BADF00D - Pointer access level : X0BADF00D [+] Generating module info table, hang on...0BADF00D - Processing modules0BADF00D - Done. Let's rock 'n roll.0BADF00D ----------------------------------------------------------------------------------------------------------------------------------0BADF00D Module info :0BADF00D ----------------------------------------------------------------------------------------------------------------------------------0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path0BADF00D ----------------------------------------------------------------------------------------------------------------------------------0BADF00D 0x76080000 | 0x760e5000 | 0x00065000 | False | True | False | False | True | 6.02.3104.0 [MSVCP60.dll] (C:\WINDOWS\system32\MSVCP60.dll)0BADF00D 0x02020000 | 0x02030000 | 0x00010000 | True | False | False | False | False | -1.0- [MSRMfilter02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter02.dll)0BADF00D 0x5b860000 | 0x5b8b5000 | 0x00055000 | False | True | False | False | True | 5.1.2600.5512 [NETAPI32.dll] (C:\WINDOWS\system32\NETAPI32.dll)0BADF00D 0x7e1e0000 | 0x7e282000 | 0x000a2000 | False | True | False | False | True | 6.00.2900.5512 [urlmon.dll] (C:\WINDOWS\system32\urlmon.dll)0BADF00D 0x00400000 | 0x004be000 | 0x000be000 | False | False | False | False | False | 2.7.3.700 [RM2MP3Converter.exe] (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)0BADF00D 0x77a80000 | 0x77b15000 | 0x00095000 | False | True | False | False | True | 5.131.2600.5512 [CRYPT32.dll] (C:\WINDOWS\system32\CRYPT32.dll)0BADF00D 0x76f20000 | 0x76f47000 | 0x00027000 | False | True | False | False | True | 5.1.2600.5512 [DNSAPI.dll] (C:\WINDOWS\system32\DNSAPI.dll)0BADF00D 0x77c70000 | 0x77c94000 | 0x00024000 | False | True | False | False | True | 5.1.2600.5512 [msv1_0.dll] (C:\WINDOWS\system32\msv1_0.dll)0BADF00D 0x77c10000 | 0x77c68000 | 0x00058000 | False | True | False | False | True | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)0BADF00D 0x7c900000 | 0x7c9af000 | 0x000af000 | False | True | False | False | True | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)0BADF00D 0x01860000 | 0x018d1000 | 0x00071000 | True | False | False | False | False | -1.0- [MSRMCcodec00.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll)0BADF00D 0x71a90000 | 0x71a98000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)0BADF00D 0x018f0000 | 0x01dbd000 | 0x004cd000 | True | False | False | False | False | -1.0- [MSRMCcodec02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)0BADF00D 0x01dc0000 | 0x01dd1000 | 0x00011000 | True | True | False | False | True | 7.0.2600.5512 [MSVCIRT.dll] (C:\WINDOWS\system32\MSVCIRT.dll)0BADF00D 0x00ab0000 | 0x00b4f000 | 0x0009f000 | True | False | False | False | False | -1.0- [MSRMfilter01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll)0BADF00D 0x02240000 | 0x02252000 | 0x00012000 | True | False | False | False | False | -1.0- [MSLog.dll] (C:\Program Files\Easy RM to MP3 Converter\MSLog.dll)0BADF00D 0x76fc0000 | 0x76fc6000 | 0x00006000 | False | True | False | False | True | 5.1.2600.5512 [rasadhlp.dll] (C:\WINDOWS\system32\rasadhlp.dll)0BADF00D 0x10000000 | 0x10071000 | 0x00071000 | False | False | False | False | False | -1.0- [MSRMfilter03.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)0BADF00D 0x76ee0000 | 0x76f1c000 | 0x0003c000 | False | True | False | False | True | 5.1.2600.5512 [RASAPI32.DLL] (C:\WINDOWS\system32\RASAPI32.DLL)0BADF00D 0x77fe0000 | 0x77ff1000 | 0x00011000 | False | True | False | False | True | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)0BADF00D 0x71aa0000 | 0x71aa8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)0BADF00D 0x73dd0000 | 0x73ece000 | 0x000fe000 | False | True | False | False | True | 6.02.4131.0 [MFC42.DLL] (C:\WINDOWS\system32\MFC42.DLL)0BADF00D 0x774e0000 | 0x7761d000 | 0x0013d000 | False | True | False | False | True | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)0BADF00D 0x77f60000 | 0x77fd6000 | 0x00076000 | False | True | False | False | True | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)0BADF00D 0x662b0000 | 0x66308000 | 0x00058000 | False | True | False | False | True | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)0BADF00D 0x7e410000 | 0x7e4a1000 | 0x00091000 | False | True | False | False | True | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)0BADF00D 0x763b0000 | 0x763f9000 | 0x00049000 | False | True | False | False | True | 6.00.2900.5512 [comdlg32.dll] (C:\WINDOWS\system32\comdlg32.dll)0BADF00D 0x71ad0000 | 0x71ad9000 | 0x00009000 | False | True | False | False | True | 5.1.2600.5512 [wsock32.dll] (C:\WINDOWS\system32\wsock32.dll)0BADF00D 0x76e80000 | 0x76e8e000 | 0x0000e000 | False | True | False | False | True | 5.1.2600.5512 [rtutils.dll] (C:\WINDOWS\system32\rtutils.dll)0BADF00D 0x01fe0000 | 0x01ffe000 | 0x0001e000 | True | False | False | False | True | 1.0.1.8 [wmatimer.dll] (C:\WINDOWS\system32\wmatimer.dll)0BADF00D 0x5ad70000 | 0x5ada8000 | 0x00038000 | False | True | False | False | True | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)0BADF00D 0x77120000 | 0x771ab000 | 0x0008b000 | False | True | False | False | True | 5.1.2600.5512 [OLEAUT32.dll] (C:\WINDOWS\system32\OLEAUT32.dll)0BADF00D 0x722b0000 | 0x722b5000 | 0x00005000 | False | True | False | False | True | 5.1.2600.5512 [sensapi.dll] (C:\WINDOWS\system32\sensapi.dll)0BADF00D 0x7c9c0000 | 0x7d1d7000 | 0x00817000 | False | True | False | False | True | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)0BADF00D 0x77e70000 | 0x77f02000 | 0x00092000 | False | True | False | False | True | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)0BADF00D 0x77b20000 | 0x77b32000 | 0x00012000 | False | True | False | False | True | 5.1.2600.5512 [MSASN1.dll] (C:\WINDOWS\system32\MSASN1.dll)0BADF00D 0x773d0000 | 0x774d3000 | 0x00103000 | False | True | False | False | True | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)0BADF00D 0x769c0000 | 0x76a74000 | 0x000b4000 | False | True | False | False | True | 5.1.2600.5512 [USERENV.dll] (C:\WINDOWS\system32\USERENV.dll)0BADF00D 0x76e90000 | 0x76ea2000 | 0x00012000 | False | True | False | False | True | 5.1.2600.5512 [rasman.dll] (C:\WINDOWS\system32\rasman.dll)0BADF00D 0x771b0000 | 0x7725a000 | 0x000aa000 | False | True | False | False | True | 6.00.2900.5512 [WININET.dll] (C:\WINDOWS\system32\WININET.dll)0BADF00D 0x5d090000 | 0x5d12a000 | 0x0009a000 | False | True | False | False | True | 5.82 [COMCTL32.dll] (C:\WINDOWS\system32\COMCTL32.dll)0BADF00D 0x76d60000 | 0x76d79000 | 0x00019000 | False | True | False | False | True | 5.1.2600.5512 [iphlpapi.dll] (C:\WINDOWS\system32\iphlpapi.dll)0BADF00D 0x71a50000 | 0x71a8f000 | 0x0003f000 | False | True | False | False | True | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\System32\mswsock.dll)0BADF00D 0x76b40000 | 0x76b6d000 | 0x0002d000 | False | True | False | False | True | 5.1.2600.5512 [WINMM.dll] (C:\WINDOWS\system32\WINMM.dll)0BADF00D 0x7c800000 | 0x7c8f6000 | 0x000f6000 | False | True | False | False | True | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)0BADF00D 0x77f10000 | 0x77f59000 | 0x00049000 | False | True | False | False | True | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)0BADF00D 0x018e0000 | 0x018e7000 | 0x00007000 | True | False | False | False | False | -1.0- [MSRMCcodec01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dll)0BADF00D 0x73000000 | 0x73026000 | 0x00026000 | False | True | False | False | True | 5.1.2600.5512 [WINSPOOL.DRV] (C:\WINDOWS\system32\WINSPOOL.DRV)0BADF00D 0x77c00000 | 0x77c08000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [VERSION.dll] (C:\WINDOWS\system32\VERSION.dll)0BADF00D 0x77dd0000 | 0x77e6b000 | 0x0009b000 | False | True | False | False | True | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)0BADF00D 0x71ab0000 | 0x71ac7000 | 0x00017000 | False | True | False | False | True | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)0BADF00D 0x76eb0000 | 0x76edf000 | 0x0002f000 | False | True | False | False | True | 5.1.2600.5512 [TAPI32.dll] (C:\WINDOWS\system32\TAPI32.dll)0BADF00D ----------------------------------------------------------------------------------------------------------------------------------0BADF00Dnoaslr
Show modules that are not aslr or rebased
nosafeseh
Show modules that are not safeseh protected
nosafesehaslr
Show modules that are not safeseh protected, not aslr and not rebased.
offset
Calcalate the number og bytes between two addresses.
pageacl / pacl
Show ACL associated with mapped pages.
pattern_create / pc
Create a cyclic pattern of a given size.
0BADF00D Usage of command 'pattern_create' :0BADF00D ------------------------------------ Create a cyclic pattern of a given size. Output will be written to pattern.txt Mandatory argument : size (numberic value) Optional arguments : -js : output pattern in unicode escaped javascript format -extended : extend the 3rd characterset (numbers) with punctuation marks etc -c1 <chars> : set the first charset to this string of characters -c2 <chars> : set the second charset to this string of characters -c3 <chars> : set the third charset to this string of characters0BADF00Dpattern_offset / po
Find location of 4 bytes in a cyclic pattern.
0BADF00D0BADF00D Usage of command 'pattern_offset' :0BADF00D ------------------------------------ Find the location of 4 bytes in a cyclic pattern Mandatory argument : the 4 bytes to look for Note : you can also specify a register Optional arguments : -extended : extend the 3rd characterset (numbers) with punctuation marks etc -c1 <chars> : set the first charset to this string of characters -c2 <chars> : set the second charset to this string of characters -c3 <chars> : set the third charset to this string of characters Note : the charset must match the charset that was used to create the pattern !0BADF00DFor example:
!mona pattern_create 1000 # get a exception EIP address!mona pattern_offset EIP # return the offsetpeb
Show location of the PEB
rop
Find gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc
Find pointers to pointers (IAT) to interesting functions that can be used in your rop chain.
seh
Find pointers to assist with SEH overwrite exploits.
sehchain / exchain
Show the current SEH chain
skeleton
Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit.
stackpivot
Finds stackpivots (move stackpointer to controlled area)
stacks
Show all stacks for all threads in the running application.
string / str
Read or write a string from/to memory
suggest
Suggest an exploit buffer structure
0BADF00D Usage of command 'suggest' :0BADF00D ----------------------------- Suggests an exploit buffer structure based on pointers to a cyclic pattern Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use Mandatory argument in case you are using WinDBG: -t <type:arg> : skeletontype. Valid types are : tcpclient:port, udpclient:port, fileformat:extension Examples : -t tcpclient:21 -t fileformat:pdf0BADF00DVideo here.
teb
Show TEB related information
unicodealign / ua
Generate venetian alignment code for unicode stack buffer overflow.
update / up
Update mona to the lastest version
!mona up -httpReferences
[1]. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
- exploit - mona.py - the manual
- 为windbg安装mona.py
- windbg安装mona.py插件
- windows-exploit-suggester.py
- Universal DEP/ASLR bypass with msvcr71.dll and mona.py
- mona常用命令
- urllib2 - The Missing Manual
- The Cacti Manual
- urllib2 - The Missing Manual
- The Matrix Reference Manual
- The Xlib Manual
- The Internet: The Missing Manual
- The Internet: The Missing Manual
- The advices of exploit the oversea market
- exploit
- exploit
- Exploit
- Exploit
- iOS Runloop学习笔记
- java批量更新数据库
- IOS 警告 (一)
- Handling Concurrency(tag:觉得写的很精彩)
- 同源策略
- exploit - mona.py - the manual
- Linux 搭建DNS服务器
- oracle 11g 安装配置EM
- php数组冒泡排序
- [lydstar]crawler:知乎·瞎扯
- swift UI专项训练15 PcikerView老虎机视图
- 图像处理学习之路(一)
- CodeForces 197C Lexicographically Maximum Subsequence
- [lydstar]忙碌的八月
