在windbg中安装和使用mona

1、安装mona

参照：http://blog.csdn.net/bugmeout/article/details/45199139

一键下载win7 32位下的mona版本：http://download.csdn.net/detail/oatnehc/7367933

2、mona命令行

0:000> !load pykd.pyd0:000> !py mona** Warning, no symbol path set ! **    I'll set the symbol path to srv*c:\symbols*http://msdl.microsoft.com/download/symbols   Symbol path set, now reloading symbols...   All set. Please restart WinDBG.Hold on...[+] Command used:!py mona.py     'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit)     Plugin version : 2.0 r566     PyKD version 0.2.0.29     Written by Corelan - https://www.corelan.be     Project page : https://github.com/corelan/mona    |------------------------------------------------------------------|    |                                                                  |    |    _____ ___  ____  ____  ____ _                                 |    |    / __ `__ \/ __ \/ __ \/ __ `/  https://www.corelan.be         |    |   / / / / / / /_/ / / / / /_/ /  https://www.corelan-training.com|    |  /_/ /_/ /_/\____/_/ /_/\__,_/  #corelan (Freenode IRC)          |    |                                                                  |    |------------------------------------------------------------------|Global options :----------------You can use one or more of the following global options on any command that will performa search in one or more modules, returning a list of pointers : -n                     : Skip modules that start with a null byte. If this is too broad, use                          option -cp nonull instead -o                     : Ignore OS modules -p <nr>                : Stop search after <nr> pointers. -m <module,module,...> : only query the given modules. Be sure what you are doing !                          You can specify multiple modules (comma separated)                          Tip : you can use -m *  to include all modules. All other module criteria will be ignored                          Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,                          blah or *blah* = contains blah -cm <crit,crit,...>    : Apply some additional criteria to the modules to query.                          You can use one or more of the following criteria :                          aslr,safeseh,rebase,nx,os                          You can enable or disable a certain criterium by setting it to true or false                          Example :  -cm aslr=true,safeseh=false                          Suppose you want to search for p/p/r in aslr enabled modules, you could call                          !mona seh -cm aslr -cp <crit,crit,...>    : Apply some criteria to the pointers to return                          Available options are :                          unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev                          Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit -cpb '\x00\x01'        : Provide list with bad chars, applies to pointers                          You can use .. to indicate a range of bytes (in between 2 bad chars) -x <access>            : Specify desired access level of the returning pointers. If not specified,                          only executable pointers will be returned.                          Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *Usage :------- !mona <command> <parameter>Available commands and parameters :? / eval             | Evaluate an expressionallocmem / alloc     | Allocate some memory in the processassemble / asm       | Convert instructions to opcode. Separate multiple instructions with #bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointersbreakfunc / bf       | Set a breakpoint on an exported function in on or more dll'sbreakpoint / bp      | Set a memory breakpoint on read/write or execute of a given addressbytearray / ba       | Creates a byte array, can be used to find bad characterschangeacl / ca       | Change the ACL of a given pagecompare / cmp        | Compare contents of a binary file with a copy in memoryconfig / conf        | Manage configuration file (mona.ini)copy / cp            | Copy bytes from one location to anotherdump                 | Dump the specified range of memory to a filedumplog / dl         | Dump objects present in alloc/free log filedumpobj / do         | Dump the contents of an objectegghunter / egg      | Create egghunter codeencode / enc         | Encode a series of bytesfilecompare / fc     | Compares 2 or more files created by mona using the same output commandsfillchunk / fchunk   | Fill a heap chunk referenced by a registerfind / f             | Find bytes in memoryfindmsp / findmsf    | Find cyclic pattern in memoryfindwild / fw        | Find instructions in memory, accepts wildcardsflow / flw           | Simulate execution flows, including all branch combinationsfwptr / fwp          | Find Writeable Pointers that get calledgeteat / eat         | Show EAT of selected module(s)getiat / iat         | Show IAT of selected module(s)getpc                | Show getpc routines for specific registersgflags / gf          | Show current GFlags settings from PEB.NtGlobalFlagheader               | Read a binary file and convert content to a nice 'header' stringheap                 | Show heap related informationhelp                 | show helphidedebug / hd       | Attempt to hide the debuggerinfo                 | Show information about a given address in the context of the loaded applicationinfodump / if        | Dumps specific parts of memory to filejmp / j              | Find pointers that will allow you to jump to a registerjop                  | Finds gadgets that can be used in a JOP exploitkb / kb              | Manage Knowledgebase datamodules / mod        | Show all loaded modules and their propertiesnoaslr               | Show modules that are not aslr or rebasednosafeseh            | Show modules that are not safeseh protectednosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebasedoffset               | Calculate the number of bytes between two addressespageacl / pacl       | Show ACL associated with mapped pagespattern_create / pc  | Create a cyclic pattern of a given sizepattern_offset / po  | Find location of 4 bytes in a cyclic patternpeb / peb            | Show location of the PEBrop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with themropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chainseh                  | Find pointers to assist with SEH overwrite exploitssehchain / exchain   | Show the current SEH chainskeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploitstackpivot           | Finds stackpivots (move stackpointer to controlled area)stacks               | Show all stacks for all threads in the running applicationstring / str         | Read or write a string from/to memorysuggest              | Suggest an exploit buffer structureteb / teb            | Show TEB related informationtobp / 2bp           | Generate WinDBG syntax to create a logging breakpoint at given locationunicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflowupdate / up          | Update mona to the latest versionWant more info about a given command ?  Run !mona help 

3、使用mona构造ROP并绕过DEP

见链接，这是篇好文章。http://drops.wooyun.org/papers/3602