在windbg中安装和使用mona
来源:互联网 发布:小众社交软件 编辑:程序博客网 时间:2024/06/06 01:19
1、安装mona
3、使用mona构造ROP并绕过DEP
参照:http://blog.csdn.net/bugmeout/article/details/45199139
一键下载win7 32位下的mona版本:http://download.csdn.net/detail/oatnehc/7367933
2、mona命令行
0:000> !load pykd.pyd0:000> !py mona** Warning, no symbol path set ! ** I'll set the symbol path to srv*c:\symbols*http://msdl.microsoft.com/download/symbols Symbol path set, now reloading symbols... All set. Please restart WinDBG.Hold on...[+] Command used:!py mona.py 'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit) Plugin version : 2.0 r566 PyKD version 0.2.0.29 Written by Corelan - https://www.corelan.be Project page : https://github.com/corelan/mona |------------------------------------------------------------------| | | | _____ ___ ____ ____ ____ _ | | / __ `__ \/ __ \/ __ \/ __ `/ https://www.corelan.be | | / / / / / / /_/ / / / / /_/ / https://www.corelan-training.com| | /_/ /_/ /_/\____/_/ /_/\__,_/ #corelan (Freenode IRC) | | | |------------------------------------------------------------------|Global options :----------------You can use one or more of the following global options on any command that will performa search in one or more modules, returning a list of pointers : -n : Skip modules that start with a null byte. If this is too broad, use option -cp nonull instead -o : Ignore OS modules -p <nr> : Stop search after <nr> pointers. -m <module,module,...> : only query the given modules. Be sure what you are doing ! You can specify multiple modules (comma separated) Tip : you can use -m * to include all modules. All other module criteria will be ignored Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah, blah or *blah* = contains blah -cm <crit,crit,...> : Apply some additional criteria to the modules to query. You can use one or more of the following criteria : aslr,safeseh,rebase,nx,os You can enable or disable a certain criterium by setting it to true or false Example : -cm aslr=true,safeseh=false Suppose you want to search for p/p/r in aslr enabled modules, you could call !mona seh -cm aslr -cp <crit,crit,...> : Apply some criteria to the pointers to return Available options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit -cpb '\x00\x01' : Provide list with bad chars, applies to pointers You can use .. to indicate a range of bytes (in between 2 bad chars) -x <access> : Specify desired access level of the returning pointers. If not specified, only executable pointers will be returned. Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *Usage :------- !mona <command> <parameter>Available commands and parameters :? / eval | Evaluate an expressionallocmem / alloc | Allocate some memory in the processassemble / asm | Convert instructions to opcode. Separate multiple instructions with #bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointersbreakfunc / bf | Set a breakpoint on an exported function in on or more dll'sbreakpoint / bp | Set a memory breakpoint on read/write or execute of a given addressbytearray / ba | Creates a byte array, can be used to find bad characterschangeacl / ca | Change the ACL of a given pagecompare / cmp | Compare contents of a binary file with a copy in memoryconfig / conf | Manage configuration file (mona.ini)copy / cp | Copy bytes from one location to anotherdump | Dump the specified range of memory to a filedumplog / dl | Dump objects present in alloc/free log filedumpobj / do | Dump the contents of an objectegghunter / egg | Create egghunter codeencode / enc | Encode a series of bytesfilecompare / fc | Compares 2 or more files created by mona using the same output commandsfillchunk / fchunk | Fill a heap chunk referenced by a registerfind / f | Find bytes in memoryfindmsp / findmsf | Find cyclic pattern in memoryfindwild / fw | Find instructions in memory, accepts wildcardsflow / flw | Simulate execution flows, including all branch combinationsfwptr / fwp | Find Writeable Pointers that get calledgeteat / eat | Show EAT of selected module(s)getiat / iat | Show IAT of selected module(s)getpc | Show getpc routines for specific registersgflags / gf | Show current GFlags settings from PEB.NtGlobalFlagheader | Read a binary file and convert content to a nice 'header' stringheap | Show heap related informationhelp | show helphidedebug / hd | Attempt to hide the debuggerinfo | Show information about a given address in the context of the loaded applicationinfodump / if | Dumps specific parts of memory to filejmp / j | Find pointers that will allow you to jump to a registerjop | Finds gadgets that can be used in a JOP exploitkb / kb | Manage Knowledgebase datamodules / mod | Show all loaded modules and their propertiesnoaslr | Show modules that are not aslr or rebasednosafeseh | Show modules that are not safeseh protectednosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebasedoffset | Calculate the number of bytes between two addressespageacl / pacl | Show ACL associated with mapped pagespattern_create / pc | Create a cyclic pattern of a given sizepattern_offset / po | Find location of 4 bytes in a cyclic patternpeb / peb | Show location of the PEBrop | Finds gadgets that can be used in a ROP exploit and do ROP magic with themropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chainseh | Find pointers to assist with SEH overwrite exploitssehchain / exchain | Show the current SEH chainskeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploitstackpivot | Finds stackpivots (move stackpointer to controlled area)stacks | Show all stacks for all threads in the running applicationstring / str | Read or write a string from/to memorysuggest | Suggest an exploit buffer structureteb / teb | Show TEB related informationtobp / 2bp | Generate WinDBG syntax to create a logging breakpoint at given locationunicodealign / ua | Generate venetian alignment code for unicode stack buffer overflowupdate / up | Update mona to the latest versionWant more info about a given command ? Run !mona help
3、使用mona构造ROP并绕过DEP
见链接,这是篇好文章。http://drops.wooyun.org/papers/3602
0 0
- 在windbg中安装和使用mona
- 为windbg安装mona.py
- windbg安装mona.py插件
- windbg支持mona脚本
- debian下Mona安装
- 在 WinDbg 脚本中使用参数
- 在 WinDbg 脚本中使用参数
- WinDbg安装与使用
- 在WinDBG中, 使用.shell命令来搜索字符串
- 在WinDBG中, 使用.shell命令来搜索字符串
- 在Linux中安装和使用wps
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- WinDbg配置和使用基础
- ListView上下文菜单创建
- 谈谈多态
- Android 开源框架Universal-Image-Loader完全解析(一)--- 基本介绍及使用
- POJ2479 DP 双向求子序列的和
- Tortoisegit 恢复文件夹被删除的文件(被误删)
- 在windbg中安装和使用mona
- Windows Embedded Compact 2013 安装体验
- LeetCode 54. Spiral Matrix
- 实现高精度ADC测量的条件
- php之PDO (PHP DATA OBJECT)
- 很实用的jQuery事件 - toggle() 方法
- 用nginx做代理服务器上网
- 启动hive时出现:Unable to instantiate org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient
- (4.6.10)Android中MVP模式与MVC模式比较(含示例)