exploit - mona.py - the manual

mona.py

Install mona.py

Put mona.py into

C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

Basic usage

Open Immunity Debugger. At the bottom of the application you should see an input box (command bar), Enter !mona and press return.

Open the log window (ALT-L) and you should get a full page of information about mona (options and commands).

0BADF00D   [+] Command used:
0BADF00D   !mona
0BADF00D        'mona' - Exploit Development Swiss Army Knife - Immunity Debugger (32bit)
0BADF00D        Plugin version : 2.0 r554
0BADF00D        Written by Corelan - https://www.corelan.be
0BADF00D        Project page : https://github.com/corelan/mona

               .##.....##..#######..##....##....###........########..##....##
               .###...###.##.....##.###...##...##.##.......##.....##..##..##.
               .####.####.##.....##.####..##..##...##......##.....##...####..
               .##.###.##.##.....##.##.##.##.##.....##.....########.....##...
               .##.....##.##.....##.##..####.#########.....##...........##...
               .##.....##.##.....##.##...###.##.....##.###.##...........##...
               .##.....##..#######..##....##.##.....##.###.##...........##...


0BADF00D   Global options :
0BADF00D   ----------------
0BADF00D   You can use one or more of the following global options on any command that will perform
0BADF00D   a search in one or more modules, returning a list of pointers :
0BADF00D    -n                     : Skip modules that start with a null byte. If this is too broad, use
0BADF00D                             option -cm nonull instead
0BADF00D    -o                     : Ignore OS modules
0BADF00D    -p                 : Stop search after  pointers.
0BADF00D    -m  : only query the given modules. Be sure what you are doing !
0BADF00D                             You can specify multiple modules (comma separated)
0BADF00D                             Tip : you can use -m *  to include all modules. All other module criteria will be ignored
0BADF00D                             Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
0BADF00D                             blah or *blah* = contains blah
0BADF00D    -cm     : Apply some additional criteria to the modules to query.
0BADF00D                             You can use one or more of the following criteria :
0BADF00D                             aslr,safeseh,rebase,nx,os
0BADF00D                             You can enable or disable a certain criterium by setting it to true or false
0BADF00D                             Example :  -cm aslr=true,safeseh=false
0BADF00D                             Suppose you want to search for p/p/r in aslr enabled modules, you could call
0BADF00D                             !mona seh -cm aslr
0BADF00D    -cp     : Apply some criteria to the pointers to return
0BADF00D                             Available options are :
0BADF00D                             unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
0BADF00D                             Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
0BADF00D    -cpb '\x00\x01'        : Provide list with bad chars, applies to pointers
0BADF00D                             You can use .. to indicate a range of bytes (in between 2 bad chars)
0BADF00D    -x             : Specify desired access level of the returning pointers. If not specified,
0BADF00D                             only executable pointers will be return.
0BADF00D                             Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *

           Usage :
           -------

0BADF00D    !mona  

           Available commands and parameters :

           ? / eval             | Evaluate an expression
           assemble / asm       | Convert instructions to opcode. Separate multiple instructions with #
           bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers
           breakfunc / bf       | Set a breakpoint on an exported function in on or more dll's
           breakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address
           bytearray / ba       | Creates a byte array, can be used to find bad characters
           calltrace / ct       | Log all CALL instructions
           compare / cmp        | Compare contents of a binary file with a copy in memory
           config / conf        | Manage configuration file (mona.ini)
           copy / cp            | Copy bytes from one location to another
           deferbp / bu         | Set a deferred breakpoint
           dump                 | Dump the specified range of memory to a file
           egghunter / egg      | Create egghunter code
           encode / enc         | Encode a series of bytes
           filecompare / fc     | Compares 2 or more files created by mona using the same output commands
           find / f             | Find bytes in memory
           findmsp / findmsf    | Find cyclic pattern in memory
           findwild / fw        | Find instructions in memory, accepts wildcards
           fwptr / fwp          | Find Writeable Pointers that get called
           geteat / eat         | Show EAT of selected module(s)
           getiat / iat         | Show IAT of selected module(s)
           getpc                | Show getpc routines for specific registers
           gflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag
           header               | Read a binary file and convert content to a nice 'header' string
           heap                 | Show heap related information
           help                 | show help
           hidedebug / hd       | Attempt to hide the debugger
           info                 | Show information about a given address in the context of the loaded application
           infodump / if        | Dumps specific parts of memory to file
           jmp / j              | Find pointers that will allow you to jump to a register
           jop                  | Finds gadgets that can be used in a JOP exploit
           kb / kb              | Manage Knowledgebase data
           modules / mod        | Show all loaded modules and their properties
           noaslr               | Show modules that are not aslr or rebased
           nosafeseh            | Show modules that are not safeseh protected
           nosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased
           offset               | Calculate the number of bytes between two addresses
           pageacl / pacl       | Show ACL associated with mapped pages
           pattern_create / pc  | Create a cyclic pattern of a given size
           pattern_offset / po  | Find location of 4 bytes in a cyclic pattern
           peb / peb            | Show location of the PEB
           rop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
           ropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
           seh                  | Find pointers to assist with SEH overwrite exploits
           sehchain / exchain   | Show the current SEH chain
           skeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
           stackpivot           | Finds stackpivots (move stackpointer to controlled area)
           stacks               | Show all stacks for all threads in the running application
           string / str         | Read or write a string from/to memory
           suggest              | Suggest an exploit buffer structure
           teb / teb            | Show TEB related information
           unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
           update / up          | Update mona to the latest version
0BADF00D
0BADF00D   Want more info about a given command ?  Run !mona help 
0BADF00D

Keeping mona.py up-to-date

Before using mona, I strongly recommend making sure you are running the latest version. If you are using the stable release, you won’t see updates that often (new version releases are often announced on twitter or Google+).

If you are using the trunk release of mona.py, you might want to update on a regular (daily) basis.

Updating is very simple. Make sure your device has access to redmine.corelan.be (https or http) and run

!mona up

By default, a connection is made to https://redmine.corelan.be. If, for whatever reason, you are unable to use https, you can use the -http switch to force the use of http:

!mona up -http

Starting from mona.py v1.1 you can switch between stable and trunk releases, by using the -t option.

So, if you are running trunk and you want to change to release, run

!mona up -t release

if you want to switch to the latest trunk version, run

!mona up -t trunk

Commands

assemble / asm

The “assemble” command allows you to convert one or more assembly instructions into opcode.

0BADF00D   Usage of command 'asm' :
0BADF00D   -------------------------
           Convert instructions to opcode. Separate multiple instructions with #.
           Mandatory argument : -s  : the sequence of instructions to assemble to opcode

For Example, we can get “jmp esp” opcode.

!mona assemble -s "jmp esp"
!mona asm -s "jmp esp"

0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona assemble -s "jmp esp"
0BADF00D   Opcode results :
0BADF00D   ----------------
0BADF00D    jmp esp = \xff\xe4
0BADF00D    Full opcode : \xff\xe4
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.010000

bpseh / sehbp

Set a breakpoint on all current SEH Handler function pointers

!mona bpseh
!mona sehbp

breakfunc / bf

Set a breakpoint on an exported function in or more dll’s.

0BADF00D   Usage of command 'breakfunc' :
0BADF00D   -------------------------------
           Set a breakpoint on exported or imported function(s) of the selected modules.
           Mandatory argument :
               -t  : type of breakpoint action. Can be 'add', 'del' or 'list'
           Optional arguments :
               -f  : set to 'import' or 'export' to read IAT or EAT. Default : export
               -s  : specify function names.
                                     If you want a bp on all functions, set -s to *
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

we can get all export or import functions, for example:

!mona breakfunc -t list -f export -s *
!mona breakfunc -t list -f import -s *

we can do the same things with the commands:

!mona geteat
!mona getiat

breakpoint / bp

Set a memory breakpoint on read/write or execute of a given address.

0BADF00D   Usage of command 'breakpoint' :
0BADF00D   --------------------------------
           Set a breakpoint when a given address is read from, written to or executed
           Mandatory arguments :
               -a 
: the address where to set the breakpoint (absolute address / register / modulename!functionname) -t : type of the breakpoint, can be READ, WRITE or SFX 0BADF00D 0BADF00D 0BADF00D [+] This mona.py action took 0:00:00

set a READ breakpoint for demo.

0BADF00D   !mona breakpoint -a 0x00437869 -t READ
0BADF00D   Breakpoint set on READ of 0x00437869
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.010000
00437869   [02:39:59] Memory breakpoint when executing [00437869]

What’s the different between READ breakpoint and WRITE or SFX breakpoint ?


bytearray / ba

The “bytearray” option was implemented to assist exploit developers when finding bad chars. It will produce an array with all bytes between \x00 and \xff (except for the ones that you excluded), and writes the array to 2 files.

  • a text file containging the array in ascii format (bytearray.txt)
  • a binary file containging the same array (bytearray.bin)

Optional arguments:

  • -cpb : exclude these bytes from the array.
  • -r: show the array in reverse (starting at \xff, end at \x00)

For example:

0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona bytearray
0BADF00D   Generating table, excluding 0 bad chars...
0BADF00D   Dumping table to file
0BADF00D   [+] Preparing output file 'bytearray.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\bytearray.txt
           "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
           "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
           "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
           "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
           "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
           "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
           "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
           "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

0BADF00D
0BADF00D   Done, wrote 256 bytes to file C:\logs\RM2MP3Converter\bytearray.txt
0BADF00D   Binary output saved in C:\logs\RM2MP3Converter\bytearray.bin
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.030000

We believe finding bad chars is a mandatory step in the exploit writing process. Over the last few weeks and months, alot of people have asked use how to perform this task, so here are the steps to finding bad chars.

Let’s say your exploit structure (classic saved return pointer overwrite) looks like this:

[ 280 bytes of junk ] [ EIP ] [ 500 bytes (shellcode) ]

We should try to make the process as reliable and smooth as possible, so we’ll have to make sure we’re not messing with the essential part of the payload, which is the part that should allow us to keep control over EIP.

We’ll keep the first 280 bytes and the 4 bytes (saved return pointer) intact. If we would change those and the first 280 bytes contain bad chars, then we might not even be able to control EIP anymore, making it very hard to debug and find bad chars.

We have a number of bytes available after overwriting saved return pointer. So that is the perfect location to put our array. It will make sure that we can make the application crash in a reliable way, allowing us to set a breakpoint on EIP and then compare the array of bytes in memory with the original array of bytes.

Before creating & using the byte array, you should ask yourself “what kind of bytes are very likely going to be breaking the payload or altering the behaviour of the application”. If, for example, the buffer overflow gets triggered because of a string copy function, it’s very likely that a null byte will break the payload. A carriage return/line feed (\x0a\x0d) are common bytes that would change the way the payload is read & processed by the application as well, so in case of a string based overflow, you’ll probably discover that those are bad chars too.

So let’s start with excluding those 3 bytes from the array. (Of course, this is all based on assumptions. If you want to be sure, don’t exclude anything from the array yet).

!mona bytearray -cpb '\x00\x0a\x0d'

Open “bytearray.txt” and copy the array. Open your exploit and paste the array after overwriting EIP (so instead of the 500 bytes, put the array).

Then set the necessary breakpoints (at the pointer you will use to control EIP with in this case) and trigger the crash. Your breakpoint should be hit, and the byte array (or a portion of it) should be in memory somewhere.

The process of finding the bad chars is very simple. We can use another mona feature to read the original byte array from the binary file that was created, and compare those bytes with the array that is in memory at crash time.

Mona will then read the binary file, takes the first 8 bytes from the file, locates all instances of those 8 bytes in memory, and compare each of the bytes of the array with the bytes in memory, listing the ones that were not altered, and listing the ones that were changed/corrupted.

!mona compare -f bytearray.bin

At this point, there are 2 things you should check in the output of this command :

  • Find the location (probably on the stack in this example) where EIP would jump to. If you are building an exploit for a saved return pointer overwrite, you will most likely find your payload at ESP. Look at ESP (or the location where your payload is) and jot down that address. Open compare.txt, look for that address and you will get the list of bytes that were corrupted. Corruption can result in 2 types of behaviour : either the byte gets changed (other bytes are still fine), or all bytes after the bad char are different. Either way, unless you know what you are doing, only write down the first byte that was changed and add that byte to the list of bad chars. Then repeat the entire process (create bytearray, paste array into exploit, trigger crash, compare). So, if you discovery that for example \x59 is a bad char too, simply run the bytearray command again :

    !mona bytearray -cpb ‘\x00\x0a\x0d’

    Repeat the entire process and do another compare. If the resulting array was found at the right location, unmodified, then you have determined all bad chars. If not, just find the next bad char, exclude it from the array and try again. The process might be time consuming, and there may even be better ways to do this, but this technique works just fine.

  • Look at other locations where your array was found. Maybe one of those locations have a non-corrupted copy of the array, providing you with an alternative location to place your shellcode without having to bother about bad chars. All you would need to do is write some jumpcode (or egghunter) to jump to that location.

View the video online here or blog here.


compare

We already discussed the basic functionality of “compare” in the documentation of previous command.

0BADF00D
0BADF00D   Usage of command 'compare' :
0BADF00D   -----------------------------
           Compares contents of a binary file with locations in memory.
           Mandatory argument :
               -f  : full path to binary file
           Optional argument :
               -a 
: the exact address of the bytes in memory (address or register). If you don't specify an address, I will try to locate the bytes in memory by looking at the first 8 bytes. -s : skip locations that belong to a module -unicode : perform unicode search. Note: input should *not* be unicode, it will be expanded automatically 0BADF00D 0BADF00D 0BADF00D [+] This mona.py action took 0:00:00

You can use this command to find bad chars (as explained earlier), but you can also use it to see if your shellcode got corrupted in memory.

You could, for example, write tag+tag+shellcode (egghunter egg) to a binary file and use the compare command to find the eggs and show if they got corrupted or not. If some of them do, others don’t, you’ll know if and how you have to tweak the start location of the hunter, or just use a checksum routine.


calltrace

Log all CALL instructions

0BADF00D
0BADF00D   Usage of command 'calltrace' :
0BADF00D   -------------------------------
           Logs all CALL instructions
           Mandatory arguments :
               -m module : specify what module to search for CALL instructions (global option)  
           Optional arguments :
               -a  : number of arguments to show for each CALL
               -r : also trace RETN instructions (will slow down process!)
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

config / conf

Manage configuration file (mona.ini).

0BADF00D   Usage of command 'config' :
0BADF00D   ----------------------------
           Change config of mona.py
           Available options are : -get , -set   or -add  
           Valid parameters are : workingfolder, excluded_modules, author
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00

Set our current work directory as follow:

!mona config -set workingfolder C:\logs\%p

copy / cp

Copy bytes from one location to another.

0BADF00D   Usage of command 'copy' :
0BADF00D   --------------------------
           Copies bytes from one location to another.

           Arguments:
               -src 
: The source address -dst
: The destination address -n : The number of bytes to copy 0BADF00D 0BADF00D

we can copy 0x10 bytes from 0x00446000 to 0x00446010.

!mona copy -src 0x00446000 -dst 0x00446010 -n 0x10

deferbp / bu

Set a memory breakpoint on read/write or execute of a given address.

0BADF00D
0BADF00D   Usage of command 'deferbp' :
0BADF00D   -----------------------------
           Set a deferred breakpoint
           Mandatory arguments :
               -a ,,...
               target can be an address, a modulename.functionname or module.dll+offset (hex value)
               Warning, modulename.functionname is case sensitive !

0BADF00D

dump

Dump the specified range of memory to a file

0BADF00D
0BADF00D   Usage of command 'dump' :
0BADF00D   --------------------------
           Dump the specified memory range to a file. Either the end address or the size of
           buffer needs to be specified.
           Mandatory arguments :
               -s 
: start address -f : the name of the file where to write the bytes Optional arguments: -n : the number of bytes to copy (size of the buffer) -e
: the end address of the copy 0BADF00D

we can dump 1000 bytes from 0x00437854.

!mona dump -s 0x00437854 -f C:\logs\RM2MP3Converter\dump.bin -n 1000

egghunter

Create egghunter code.

0BADF00D
0BADF00D   Usage of command 'egghunter' :
0BADF00D   -------------------------------
           Creates an egghunter routine
           Optional arguments :
               -t : tag (ex: w00t). Default value is w00t
               -c : enable checksum routine. Only works in conjunction with parameter -f
               -f  : file containing the shellcode
               -startreg  : start searching at the address pointed by this reg
               -wow64 : generate wow64 egghunter. Default is traditional 32bit egghunter
           DEP Bypass options :
               -depmethod  : method can be "virtualprotect", "copy" or "copy_size"
               -depreg  : sets the register that contains a pointer to the API function to bypass DEP.
                               By default this register is set to ESI
               -depsize  : sets the size for the dep bypass routine
               -depdest  : this register points to the location of the egghunter itself.
                                When bypassing DEP, the egghunter is already marked as executable.
                                So when using the copy or copy_size methods, the DEP bypass in the egghunter
                                would do a "copy 2 self".  In order to be able to do so, it needs a register
                                where it can copy the shellcode to.
                                If you leave this empty, the code will contain a GetPC routine.
0BADF00D
0BADF00D

If you don’t specify a file containing shellcode, it will simply produce a regular egghunter routine. If you specify a filename, you’ll have the ability to use option -c, which will insert a checksum routine for the shellcode in the file. The checksum routine will only work for that particular shellcode (or any other shellcode with the same size, producing the same checksum value :) )

Using the various -dep* parameters, you can tell the egghunter routine to create code that will bypass DEP on the found egg, before running it. You can find more information about this technique here.


encode / enc

Encode a series of bytes.

0BADF00D
0BADF00D   Usage of command 'enc' :
0BADF00D   -------------------------
           Encode a series of bytes
           Arguments:
               -t          : Type of encoder to use.  Allowed value(s) are alphanum
               -s         : The bytes to encode (or use -f instead)
               -f  : The full path to the binary file that contains the bytes to encode
0BADF00D

filecompare / fc

Compares 2 or more files created by mona using the same output commands.

0BADF00D   Usage of command 'filecompare' :
0BADF00D   ---------------------------------
           Compares 2 or more files created by mona using the same output commands
           Make sure to use files that are created with the same version of mona and
           contain the output of the same mona command.
           Mandatory argument : -f "file1,file2,...filen"
           Put all filenames between one set of double quotes, and separate files with comma's.
           You can specify a foldername as well with -f, all files in the root of that folder will be part of the compare.
           Output will be written to filecompare.txt and filecompare_not.txt (not matching pointers)
           Optional parameters :
               -contains "INSTRUCTION"  (will only list if instruction is found)
               -nostrict (will also list pointer is instructions don't match in all files)
               -range  : find overlapping ranges for all pointers + range.
                                 When using -range, the -contains and -nostrict options will be ignored
               -ptronly : only show matching pointers (slightly faster). Doesn't work when 'range' is used
0BADF00D

For example:

!mona filecompare -f "C:\logs\RM2MP3Converter\pattern.txt.old","C:\logs\RM2MP3Converter\pattern.txt.old2"

find

The “find” command has improved a lot since its initial implementation in pvefindaddr. It’s faster, but above all it’s more flexible and has a shiney new “recursive” search feature.

0BADF00D   Usage of command 'find' :
0BADF00D   --------------------------
           Find a sequence of bytes in memory.
           Mandatory argument : -s  : the sequence to search for. If you specified type 'file', then use -s to specify the file.
           This file needs to be a file created with mona.py, containing pointers at the begin of each line.
           Optional arguments:
               -type     : Type of pattern to search for : bin,asc,ptr,instr,file
               -b 
: base/bottom address of the search range -t
: top address of the search range -c : skip consecutive pointers but show length of the pattern instead -p2p : show pointers to pointers to the pattern (might take a while !) this setting equals setting -level to 1 -level : do recursive (p2p) searches, specify number of levels deep if you want to look for pointers to pointers, set level to 1 -offset : subtract a value from a pointer at a certain level -offsetlevel : level to subtract a value from a pointer -r : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value. This value indicates the number of bytes to step backwards for each search -unicode : used in conjunction with search type asc, this will convert the search pattern to unicode first -ptronly : Only show the pointers, skip showing info about the pointer (slightly faster) 0BADF00D

By default, “find” will look for all locations (accesslevel set to *). Furthermore, by default, it will search the entire memory space (including the memory space of modules that were excluded).

Example: Find all locations where the string “w00t” can be found:

!mona find -type asc -s "w00t"

Example: Find all executable locations that have a pointer to “jmp ecx”

!mona find -type instr -s "jmp ecx" -p2p

0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona find -type instr -s "jmp esp" -b 018F0000 -t 1DBD000

           ---------- Mona command started on 2015-02-26 19:26:29 (v2.0, rev 554) ----------
0BADF00D   [+] Processing arguments and criteria
0BADF00D       - Pointer access level : *
0BADF00D       - Treating search pattern as instr
0BADF00D   [+] Searching from 0x018f0000 to 0x01dbd000
0BADF00D   [+] Preparing output file 'find.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\find.txt
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   [+] Writing results to C:\logs\RM2MP3Converter\find.txt
0BADF00D       - Number of pointers of type '"jmp esp"' : 13
0BADF00D   [+] Results :
01AE023F     0x01ae023f (b+0x001f023f)  : "jmp esp" |  {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AFD3DB     0x01afd3db (b+0x0020d3db)  : "jmp esp" |  {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AAF23A     0x01aaf23a (b+0x001bf23a)  : "jmp esp" |  {PAGE_EXECUTE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B22A     0x01b1b22a (b+0x0022b22a)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B72D     0x01b1b72d (b+0x0022b72d)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1CD89     0x01b1cd89 (b+0x0022cd89)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B25C9E     0x01b25c9e (b+0x00235c9e)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B303D9     0x01b303d9 (b+0x002403d9)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B31400     0x01b31400 (b+0x00241400)  : "jmp esp" | null {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3736D     0x01b3736d (b+0x0024736d)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3CE34     0x01b3ce34 (b+0x0024ce34)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B40159     0x01b40159 (b+0x00250159)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B42EC0     0x01b42ec0 (b+0x00252ec0)  : "jmp esp" |  {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D       Found a total of 13 pointers
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:01.252000

As we known, 0x01AAF23A is a good choice.

Example: Find All locations that have a pointer to any of the pointer in file c:\temp\seh.txt

!mona find -type file -s "c:\temp\seh.txt" -p2p

Example : let’s say you control ECX, and your payload is at ESP+4

This is the code that will give you control over EIP :

MOV EAX,DWORD PTR DS:[ECX]
CALL [EAX+58]

The idea is to retun to the payload at ESP+4 to initiate a rop chain.

Think about it. What kind of pointer would we need to put in ECX ?

Answer : We need a pointer to a pointer(2), where pointer(2) – 0x58 points to a pointer to ADD ESP,4/RET.

For sure you find one manually. If you have time.

In order to instruct mona to find all pointers, you’ll need 2 commands :

One to find all stackpivots of 4
One to find the ptr to ptr-0x58 to ptr to one of the stackpivots

Solution :

# first, get all stackpivots, save output to c:\logs\stackpivot.txt
!mona config -set workingfolder c:\logs
!mona stackpivot -distance 4,4

# read the file and find ptr to ptr-58 to each of the pointers
!mona find -type file -s "c:\logs\stackpivot.txt" -x *
  -offset 88 -level 2 -offsetlevel 2

So basically, we need to apply the offset to level 2. (which is “look for ptr to ptr to ptr” in this case, because we already read ptr to the instructions into stackpivot).

Before looking for a pointer to a pointer in that level, the offset will be subtracted from the target pointer first.

Hint : in order to debug this routine, you’ll have to set a breakpoint on reading [ECX]. Suppose you put 7a10b473 in ECX, then – prior to triggering the bug – set a breakpoint on reading that location :

!mona bp -t READ -a 0x7a10b473

findmsp

Find cyclic pattern in memory.

0BADF00D   Usage of command 'findmsp' :
0BADF00D   -----------------------------
           Finds begin of a cyclic pattern in memory, looks if one of the registers contains (is overwritten) with a cyclic pattern
           or points into a cyclic pattern. findmsp will also look if a SEH record is overwritten and finally,
           it will look for cyclic patterns on the stack, and pointers to cyclic pattern on the stack.
           Optional argument :
               -distance  : distance from ESP, applies to search on the stack. Default : search entire stack
           Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
0BADF00D

findwild

Find instructions in memory, accept wildcards.

0BADF00D
0BADF00D   Usage of command 'findwild' :
0BADF00D   ------------------------------
           Find instructions in memory, accepts wildcards :
           Mandatory arguments :
                   -s   (separate instructions with #)
           Optional arguments :
                   -b 
: base/bottom address of the search range -t
: top address of the search range -depth : number of instructions to go deep -all : show all instruction chains, even if it contains something that might break the chain -distance min=nr,max=nr : you can use a numeric offset wildcard (a single *) in the first instruction of the search the distance parameter allows you to specify the range of the offset Inside the instructions string, you can use the following wildcards : * = any instruction r32 = any register Example : pop r32#*#xor eax,eax#*#pop esi#ret 0BADF00D

Instructions are separated with #. You can use * to indicate that you want to allow any instruction(s). You can also use r32 to indicate that you want to allow any register.

Example : Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn :

!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

You can, of course, use any of the global options to finetune/limit the search.

Output will be written to findwild.txt.


fwptr / fp

Find Writeable Pointers that get called.


geteat ** / eat

Show EAT of selected module(s)

!mona eat
!mona eat -s "32"

getiat / iat

Show IAT of selected module(s)

!mona iat
!mona iat -s "32"

getpc

Show getpc routines for specific registers.

0BADF00D
0BADF00D   Usage of command 'getpc' :
0BADF00D   ---------------------------
           Find getpc routine for specific register
           Mandatory argument :
               -r : register (ex: eax)
0BADF00D
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
0BADF00D   [+] Command used:
0BADF00D   !mona getpc -r eax
0BADF00D   [+] Preparing output file 'getpc.txt'
0BADF00D       - (Re)setting logfile C:\logs\RM2MP3Converter\getpc.txt

           eax|  jmp short back:
           "\xeb\x03\x58\xff\xd0\xe8\xf8\xff\xff\xff"
           eax|  call + 4:
           "\xe8\xff\xff\xff\xff\xc3\x58"
           eax|  fstenv:
           "\xd9\xeb\x9b\xd9\x74\x24\xf4\x58"

0BADF00D
0BADF00D   Wrote to file C:\logs\RM2MP3Converter\getpc.txt
0BADF00D

gflags / gf

Show current GFlags settings from PEB.NtGlobalFlag.

0BADF00D
0BADF00D   [+] This mona.py action took 0:00:01.072000
0BADF00D   [+] Command used:
0BADF00D   !mona gflags
0BADF00D   [+] NtGlobalFlag: 0x00000070
0BADF00D       0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D       0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D       0x00000010 : +htc - Enable Heap Tail Checking

header

Read a binary file and convert to a nice ‘header’ string.

!mona header -f "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe" -t python

heap

Show heap related information.

0BADF00D
0BADF00D   Usage of command 'heap' :
0BADF00D   --------------------------
           Show information about various heap chunk lists
           Mandatory arguments :
               -h 
: base address of the heap to query -t : where type is 'segments', 'chunks', 'layout', 'fea' (let mona determine the frontend allocator), 'lal' (force display of LAL FEA, only on XP/2003), 'lfh' (force display of LFH FEA (Vista/Win7/...)), 'bea' (backend allocator, mona will automatically determine what it is), 'all' (show all information) Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results. Optional arguments : -expand : Works only in combination with 'layout', will include VA/LFH/... chunks in the search. VA/LFH chunks may be very big, so this might slow down the search. -stat : show statistics (also works in combination with -h heap, -t segments or -t chunks -size : only show strings of at least the specified size. Works in combination with 'layout' -after : only show current & next chunk layout entries when an entry contains this data (Only works in combination with 'layout') -v : show data / write verbose info to the Log window 0BADF00D

help

show help


hidedebug / hd

Attempt to hide the debugger from the process.


info

Show information about a given address in the context of the loaded application.

0BADF00D   !mona info -a 0x00437854
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   [+] NtGlobalFlag: 0x00000070
0BADF00D       0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D       0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D       0x00000010 : +htc - Enable Heap Tail Checking
0BADF00D
0BADF00D   [+] Information about address 0x00437854
773D0000   Modules C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0BADF00D       startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
0BADF00D       Address is part of page 0x00401000 - 0x0043c000
0BADF00D       Section : .text
0BADF00D       Address is part of a module:
0BADF00D       [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D       Offset from module base: 0x37854
0BADF00D
0BADF00D   [+] Disassembly:
0BADF00D       Instruction at 00437854 : PUSH EBP
0BADF00D

infodump / if

Dumps contents of memory to file. Contents will include all pages that don’t belong to stack, heap or loaded modules.

Output will be written to infodump.xml


jmp / j

Find pointers that will allow you to a register.

!mona jmp -r esp

jop

Find gadgets that can be used in a JOP exploit.


kb

Manage Knowledgebase data.

0BADF00D
0BADF00D   Usage of command 'kb' :
0BADF00D   ------------------------
           Manage knowledgebase data
           Mandatory arguments:
               - : type can be 'list', 'set' or 'del'
               To 'set' ( = add / update ) a KB entry, or 'del' an entry,
               you will need to specify 2 additional arguments:
                   -id  : the Knowledgebase ID
                   -value  : the value to add/update.  In case of lists, use a comma to separate entries.
               The -list parameter will show all current ID's
               To see the contents of a specific ID, use the -id  parameter.
0BADF00D

modules / mod

Show information about the loaded modules.

0BADF00D   !mona modules

           ---------- Mona command started on 2015-02-26 21:19:37 (v2.0, rev 554) ----------
0BADF00D   [+] Processing arguments and criteria
0BADF00D       - Pointer access level : X
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Module info :
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    0x76080000 | 0x760e5000 | 0x00065000 | False  | True    | False |  False   | True   | 6.02.3104.0 [MSVCP60.dll] (C:\WINDOWS\system32\MSVCP60.dll)
0BADF00D    0x02020000 | 0x02030000 | 0x00010000 | True   | False   | False |  False   | False  | -1.0- [MSRMfilter02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter02.dll)
0BADF00D    0x5b860000 | 0x5b8b5000 | 0x00055000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [NETAPI32.dll] (C:\WINDOWS\system32\NETAPI32.dll)
0BADF00D    0x7e1e0000 | 0x7e282000 | 0x000a2000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [urlmon.dll] (C:\WINDOWS\system32\urlmon.dll)
0BADF00D    0x00400000 | 0x004be000 | 0x000be000 | False  | False   | False |  False   | False  | 2.7.3.700 [RM2MP3Converter.exe] (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D    0x77a80000 | 0x77b15000 | 0x00095000 | False  | True    | False |  False   | True   | 5.131.2600.5512 [CRYPT32.dll] (C:\WINDOWS\system32\CRYPT32.dll)
0BADF00D    0x76f20000 | 0x76f47000 | 0x00027000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [DNSAPI.dll] (C:\WINDOWS\system32\DNSAPI.dll)
0BADF00D    0x77c70000 | 0x77c94000 | 0x00024000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [msv1_0.dll] (C:\WINDOWS\system32\msv1_0.dll)
0BADF00D    0x77c10000 | 0x77c68000 | 0x00058000 | False  | True    | False |  False   | True   | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)
0BADF00D    0x7c900000 | 0x7c9af000 | 0x000af000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)
0BADF00D    0x01860000 | 0x018d1000 | 0x00071000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec00.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll)
0BADF00D    0x71a90000 | 0x71a98000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)
0BADF00D    0x018f0000 | 0x01dbd000 | 0x004cd000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D    0x01dc0000 | 0x01dd1000 | 0x00011000 | True   | True    | False |  False   | True   | 7.0.2600.5512 [MSVCIRT.dll] (C:\WINDOWS\system32\MSVCIRT.dll)
0BADF00D    0x00ab0000 | 0x00b4f000 | 0x0009f000 | True   | False   | False |  False   | False  | -1.0- [MSRMfilter01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll)
0BADF00D    0x02240000 | 0x02252000 | 0x00012000 | True   | False   | False |  False   | False  | -1.0- [MSLog.dll] (C:\Program Files\Easy RM to MP3 Converter\MSLog.dll)
0BADF00D    0x76fc0000 | 0x76fc6000 | 0x00006000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rasadhlp.dll] (C:\WINDOWS\system32\rasadhlp.dll)
0BADF00D    0x10000000 | 0x10071000 | 0x00071000 | False  | False   | False |  False   | False  | -1.0- [MSRMfilter03.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
0BADF00D    0x76ee0000 | 0x76f1c000 | 0x0003c000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [RASAPI32.DLL] (C:\WINDOWS\system32\RASAPI32.DLL)
0BADF00D    0x77fe0000 | 0x77ff1000 | 0x00011000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)
0BADF00D    0x71aa0000 | 0x71aa8000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)
0BADF00D    0x73dd0000 | 0x73ece000 | 0x000fe000 | False  | True    | False |  False   | True   | 6.02.4131.0 [MFC42.DLL] (C:\WINDOWS\system32\MFC42.DLL)
0BADF00D    0x774e0000 | 0x7761d000 | 0x0013d000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)
0BADF00D    0x77f60000 | 0x77fd6000 | 0x00076000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)
0BADF00D    0x662b0000 | 0x66308000 | 0x00058000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)
0BADF00D    0x7e410000 | 0x7e4a1000 | 0x00091000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)
0BADF00D    0x763b0000 | 0x763f9000 | 0x00049000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [comdlg32.dll] (C:\WINDOWS\system32\comdlg32.dll)
0BADF00D    0x71ad0000 | 0x71ad9000 | 0x00009000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [wsock32.dll] (C:\WINDOWS\system32\wsock32.dll)
0BADF00D    0x76e80000 | 0x76e8e000 | 0x0000e000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rtutils.dll] (C:\WINDOWS\system32\rtutils.dll)
0BADF00D    0x01fe0000 | 0x01ffe000 | 0x0001e000 | True   | False   | False |  False   | True   | 1.0.1.8 [wmatimer.dll] (C:\WINDOWS\system32\wmatimer.dll)
0BADF00D    0x5ad70000 | 0x5ada8000 | 0x00038000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)
0BADF00D    0x77120000 | 0x771ab000 | 0x0008b000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [OLEAUT32.dll] (C:\WINDOWS\system32\OLEAUT32.dll)
0BADF00D    0x722b0000 | 0x722b5000 | 0x00005000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [sensapi.dll] (C:\WINDOWS\system32\sensapi.dll)
0BADF00D    0x7c9c0000 | 0x7d1d7000 | 0x00817000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)
0BADF00D    0x77e70000 | 0x77f02000 | 0x00092000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)
0BADF00D    0x77b20000 | 0x77b32000 | 0x00012000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [MSASN1.dll] (C:\WINDOWS\system32\MSASN1.dll)
0BADF00D    0x773d0000 | 0x774d3000 | 0x00103000 | False  | True    | False |  False   | True   | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0BADF00D    0x769c0000 | 0x76a74000 | 0x000b4000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [USERENV.dll] (C:\WINDOWS\system32\USERENV.dll)
0BADF00D    0x76e90000 | 0x76ea2000 | 0x00012000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [rasman.dll] (C:\WINDOWS\system32\rasman.dll)
0BADF00D    0x771b0000 | 0x7725a000 | 0x000aa000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [WININET.dll] (C:\WINDOWS\system32\WININET.dll)
0BADF00D    0x5d090000 | 0x5d12a000 | 0x0009a000 | False  | True    | False |  False   | True   | 5.82 [COMCTL32.dll] (C:\WINDOWS\system32\COMCTL32.dll)
0BADF00D    0x76d60000 | 0x76d79000 | 0x00019000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [iphlpapi.dll] (C:\WINDOWS\system32\iphlpapi.dll)
0BADF00D    0x71a50000 | 0x71a8f000 | 0x0003f000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\System32\mswsock.dll)
0BADF00D    0x76b40000 | 0x76b6d000 | 0x0002d000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WINMM.dll] (C:\WINDOWS\system32\WINMM.dll)
0BADF00D    0x7c800000 | 0x7c8f6000 | 0x000f6000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)
0BADF00D    0x77f10000 | 0x77f59000 | 0x00049000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)
0BADF00D    0x018e0000 | 0x018e7000 | 0x00007000 | True   | False   | False |  False   | False  | -1.0- [MSRMCcodec01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dll)
0BADF00D    0x73000000 | 0x73026000 | 0x00026000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WINSPOOL.DRV] (C:\WINDOWS\system32\WINSPOOL.DRV)
0BADF00D    0x77c00000 | 0x77c08000 | 0x00008000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [VERSION.dll] (C:\WINDOWS\system32\VERSION.dll)
0BADF00D    0x77dd0000 | 0x77e6b000 | 0x0009b000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)
0BADF00D    0x71ab0000 | 0x71ac7000 | 0x00017000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)
0BADF00D    0x76eb0000 | 0x76edf000 | 0x0002f000 | False  | True    | False |  False   | True   | 5.1.2600.5512 [TAPI32.dll] (C:\WINDOWS\system32\TAPI32.dll)
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D

noaslr

Show modules that are not aslr or rebased


nosafeseh

Show modules that are not safeseh protected


nosafesehaslr

Show modules that are not safeseh protected, not aslr and not rebased.


offset

Calcalate the number og bytes between two addresses.


pageacl / pacl

Show ACL associated with mapped pages.


pattern_create / pc

Create a cyclic pattern of a given size.

0BADF00D   Usage of command 'pattern_create' :
0BADF00D   ------------------------------------
           Create a cyclic pattern of a given size. Output will be written to pattern.txt
           Mandatory argument : size (numberic value)
           Optional arguments :
               -js : output pattern in unicode escaped javascript format
               -extended : extend the 3rd characterset (numbers) with punctuation marks etc
               -c1  : set the first charset to this string of characters
               -c2  : set the second charset to this string of characters
               -c3  : set the third charset to this string of characters
0BADF00D

pattern_offset / po

Find location of 4 bytes in a cyclic pattern.

0BADF00D
0BADF00D   Usage of command 'pattern_offset' :
0BADF00D   ------------------------------------
           Find the location of 4 bytes in a cyclic pattern
           Mandatory argument : the 4 bytes to look for
           Note :  you can also specify a register
           Optional arguments :
               -extended : extend the 3rd characterset (numbers) with punctuation marks etc
               -c1  : set the first charset to this string of characters
               -c2  : set the second charset to this string of characters
               -c3  : set the third charset to this string of characters
           Note : the charset must match the charset that was used to create the pattern !

0BADF00D

For example:

!mona pattern_create 1000   # get a exception EIP address
!mona pattern_offset EIP    # return the offset

peb

Show location of the PEB


rop

Find gadgets that can be used in a ROP exploit and do ROP magic with them


ropfunc

Find pointers to pointers (IAT) to interesting functions that can be used in your rop chain.


seh

Find pointers to assist with SEH overwrite exploits.


sehchain / exchain

Show the current SEH chain


skeleton

Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit.


stackpivot

Finds stackpivots (move stackpointer to controlled area)


stacks

Show all stacks for all threads in the running application.


string / str

Read or write a string from/to memory


suggest

Suggest an exploit buffer structure

0BADF00D   Usage of command 'suggest' :
0BADF00D   -----------------------------
           Suggests an exploit buffer structure based on pointers to a cyclic pattern
           Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
           Mandatory argument in case you are using WinDBG:
               -t  : skeletontype. Valid types are :
                           tcpclient:port, udpclient:port, fileformat:extension
                           Examples : -t tcpclient:21
                                      -t fileformat:pdf
0BADF00D

Video here.


teb

Show TEB related information


unicodealign / ua

Generate venetian alignment code for unicode stack buffer overflow.


update / up

Update mona to the lastest version

!mona up -http

References

[1]. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

你可能感兴趣的:(Vulnerability,Analysis,exploit)