Put mona.py into
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands
Open Immunity Debugger. At the bottom of the application you should see an input box (command bar), Enter !mona and press return.
Open the log window (ALT-L) and you should get a full page of information about mona (options and commands).
0BADF00D [+] Command used:
0BADF00D !mona
0BADF00D 'mona' - Exploit Development Swiss Army Knife - Immunity Debugger (32bit)
0BADF00D Plugin version : 2.0 r554
0BADF00D Written by Corelan - https://www.corelan.be
0BADF00D Project page : https://github.com/corelan/mona
.##.....##..#######..##....##....###........########..##....##
.###...###.##.....##.###...##...##.##.......##.....##..##..##.
.####.####.##.....##.####..##..##...##......##.....##...####..
.##.###.##.##.....##.##.##.##.##.....##.....########.....##...
.##.....##.##.....##.##..####.#########.....##...........##...
.##.....##.##.....##.##...###.##.....##.###.##...........##...
.##.....##..#######..##....##.##.....##.###.##...........##...
0BADF00D Global options :
0BADF00D ----------------
0BADF00D You can use one or more of the following global options on any command that will perform
0BADF00D a search in one or more modules, returning a list of pointers :
0BADF00D -n : Skip modules that start with a null byte. If this is too broad, use
0BADF00D option -cm nonull instead
0BADF00D -o : Ignore OS modules
0BADF00D -p : Stop search after pointers.
0BADF00D -m : only query the given modules. Be sure what you are doing !
0BADF00D You can specify multiple modules (comma separated)
0BADF00D Tip : you can use -m * to include all modules. All other module criteria will be ignored
0BADF00D Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
0BADF00D blah or *blah* = contains blah
0BADF00D -cm : Apply some additional criteria to the modules to query.
0BADF00D You can use one or more of the following criteria :
0BADF00D aslr,safeseh,rebase,nx,os
0BADF00D You can enable or disable a certain criterium by setting it to true or false
0BADF00D Example : -cm aslr=true,safeseh=false
0BADF00D Suppose you want to search for p/p/r in aslr enabled modules, you could call
0BADF00D !mona seh -cm aslr
0BADF00D -cp : Apply some criteria to the pointers to return
0BADF00D Available options are :
0BADF00D unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
0BADF00D Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
0BADF00D -cpb '\x00\x01' : Provide list with bad chars, applies to pointers
0BADF00D You can use .. to indicate a range of bytes (in between 2 bad chars)
0BADF00D -x : Specify desired access level of the returning pointers. If not specified,
0BADF00D only executable pointers will be return.
0BADF00D Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *
Usage :
-------
0BADF00D !mona
Available commands and parameters :
? / eval | Evaluate an expression
assemble / asm | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba | Creates a byte array, can be used to find bad characters
calltrace / ct | Log all CALL instructions
compare / cmp | Compare contents of a binary file with a copy in memory
config / conf | Manage configuration file (mona.ini)
copy / cp | Copy bytes from one location to another
deferbp / bu | Set a deferred breakpoint
dump | Dump the specified range of memory to a file
egghunter / egg | Create egghunter code
encode / enc | Encode a series of bytes
filecompare / fc | Compares 2 or more files created by mona using the same output commands
find / f | Find bytes in memory
findmsp / findmsf | Find cyclic pattern in memory
findwild / fw | Find instructions in memory, accepts wildcards
fwptr / fwp | Find Writeable Pointers that get called
geteat / eat | Show EAT of selected module(s)
getiat / iat | Show IAT of selected module(s)
getpc | Show getpc routines for specific registers
gflags / gf | Show current GFlags settings from PEB.NtGlobalFlag
header | Read a binary file and convert content to a nice 'header' string
heap | Show heap related information
help | show help
hidedebug / hd | Attempt to hide the debugger
info | Show information about a given address in the context of the loaded application
infodump / if | Dumps specific parts of memory to file
jmp / j | Find pointers that will allow you to jump to a register
jop | Finds gadgets that can be used in a JOP exploit
kb / kb | Manage Knowledgebase data
modules / mod | Show all loaded modules and their properties
noaslr | Show modules that are not aslr or rebased
nosafeseh | Show modules that are not safeseh protected
nosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebased
offset | Calculate the number of bytes between two addresses
pageacl / pacl | Show ACL associated with mapped pages
pattern_create / pc | Create a cyclic pattern of a given size
pattern_offset / po | Find location of 4 bytes in a cyclic pattern
peb / peb | Show location of the PEB
rop | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh | Find pointers to assist with SEH overwrite exploits
sehchain / exchain | Show the current SEH chain
skeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot | Finds stackpivots (move stackpointer to controlled area)
stacks | Show all stacks for all threads in the running application
string / str | Read or write a string from/to memory
suggest | Suggest an exploit buffer structure
teb / teb | Show TEB related information
unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow
update / up | Update mona to the latest version
0BADF00D
0BADF00D Want more info about a given command ? Run !mona help
0BADF00D
Before using mona, I strongly recommend making sure you are running the latest version. If you are using the stable release, you won’t see updates that often (new version releases are often announced on twitter or Google+).
If you are using the trunk release of mona.py, you might want to update on a regular (daily) basis.
Updating is very simple. Make sure your device has access to redmine.corelan.be (https or http) and run
!mona up
By default, a connection is made to https://redmine.corelan.be. If, for whatever reason, you are unable to use https, you can use the -http switch to force the use of http:
!mona up -http
Starting from mona.py v1.1 you can switch between stable and trunk releases, by using the -t option.
So, if you are running trunk and you want to change to release, run
!mona up -t release
if you want to switch to the latest trunk version, run
!mona up -t trunk
assemble / asm
The “assemble” command allows you to convert one or more assembly instructions into opcode.
0BADF00D Usage of command 'asm' :
0BADF00D -------------------------
Convert instructions to opcode. Separate multiple instructions with #.
Mandatory argument : -s : the sequence of instructions to assemble to opcode
For Example, we can get “jmp esp” opcode.
!mona assemble -s "jmp esp"
!mona asm -s "jmp esp"
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona assemble -s "jmp esp"
0BADF00D Opcode results :
0BADF00D ----------------
0BADF00D jmp esp = \xff\xe4
0BADF00D Full opcode : \xff\xe4
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00.010000
bpseh / sehbp
Set a breakpoint on all current SEH Handler function pointers
!mona bpseh
!mona sehbp
breakfunc / bf
Set a breakpoint on an exported function in or more dll’s.
0BADF00D Usage of command 'breakfunc' :
0BADF00D -------------------------------
Set a breakpoint on exported or imported function(s) of the selected modules.
Mandatory argument :
-t : type of breakpoint action. Can be 'add', 'del' or 'list'
Optional arguments :
-f : set to 'import' or 'export' to read IAT or EAT. Default : export
-s : specify function names.
If you want a bp on all functions, set -s to *
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
we can get all export or import functions, for example:
!mona breakfunc -t list -f export -s *
!mona breakfunc -t list -f import -s *
we can do the same things with the commands:
!mona geteat
!mona getiat
breakpoint / bp
Set a memory breakpoint on read/write or execute of a given address.
0BADF00D Usage of command 'breakpoint' :
0BADF00D --------------------------------
Set a breakpoint when a given address is read from, written to or executed
Mandatory arguments :
-a : the address where to set the breakpoint
(absolute address / register / modulename!functionname)
-t : type of the breakpoint, can be READ, WRITE or SFX
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
set a READ breakpoint for demo.
0BADF00D !mona breakpoint -a 0x00437869 -t READ
0BADF00D Breakpoint set on READ of 0x00437869
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00.010000
00437869 [02:39:59] Memory breakpoint when executing [00437869]
What’s the different between READ breakpoint and WRITE or SFX breakpoint ?
bytearray / ba
The “bytearray” option was implemented to assist exploit developers when finding bad chars. It will produce an array with all bytes between \x00 and \xff (except for the ones that you excluded), and writes the array to 2 files.
Optional arguments:
For example:
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona bytearray
0BADF00D Generating table, excluding 0 bad chars...
0BADF00D Dumping table to file
0BADF00D [+] Preparing output file 'bytearray.txt'
0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\bytearray.txt
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
0BADF00D
0BADF00D Done, wrote 256 bytes to file C:\logs\RM2MP3Converter\bytearray.txt
0BADF00D Binary output saved in C:\logs\RM2MP3Converter\bytearray.bin
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00.030000
We believe finding bad chars is a mandatory step in the exploit writing process. Over the last few weeks and months, alot of people have asked use how to perform this task, so here are the steps to finding bad chars.
Let’s say your exploit structure (classic saved return pointer overwrite) looks like this:
[ 280 bytes of junk ] [ EIP ] [ 500 bytes (shellcode) ]
We should try to make the process as reliable and smooth as possible, so we’ll have to make sure we’re not messing with the essential part of the payload, which is the part that should allow us to keep control over EIP.
We’ll keep the first 280 bytes and the 4 bytes (saved return pointer) intact. If we would change those and the first 280 bytes contain bad chars, then we might not even be able to control EIP anymore, making it very hard to debug and find bad chars.
We have a number of bytes available after overwriting saved return pointer. So that is the perfect location to put our array. It will make sure that we can make the application crash in a reliable way, allowing us to set a breakpoint on EIP and then compare the array of bytes in memory with the original array of bytes.
Before creating & using the byte array, you should ask yourself “what kind of bytes are very likely going to be breaking the payload or altering the behaviour of the application”. If, for example, the buffer overflow gets triggered because of a string copy function, it’s very likely that a null byte will break the payload. A carriage return/line feed (\x0a\x0d) are common bytes that would change the way the payload is read & processed by the application as well, so in case of a string based overflow, you’ll probably discover that those are bad chars too.
So let’s start with excluding those 3 bytes from the array. (Of course, this is all based on assumptions. If you want to be sure, don’t exclude anything from the array yet).
!mona bytearray -cpb '\x00\x0a\x0d'
Open “bytearray.txt” and copy the array. Open your exploit and paste the array after overwriting EIP (so instead of the 500 bytes, put the array).
Then set the necessary breakpoints (at the pointer you will use to control EIP with in this case) and trigger the crash. Your breakpoint should be hit, and the byte array (or a portion of it) should be in memory somewhere.
The process of finding the bad chars is very simple. We can use another mona feature to read the original byte array from the binary file that was created, and compare those bytes with the array that is in memory at crash time.
Mona will then read the binary file, takes the first 8 bytes from the file, locates all instances of those 8 bytes in memory, and compare each of the bytes of the array with the bytes in memory, listing the ones that were not altered, and listing the ones that were changed/corrupted.
!mona compare -f bytearray.bin
At this point, there are 2 things you should check in the output of this command :
Find the location (probably on the stack in this example) where EIP would jump to. If you are building an exploit for a saved return pointer overwrite, you will most likely find your payload at ESP. Look at ESP (or the location where your payload is) and jot down that address. Open compare.txt, look for that address and you will get the list of bytes that were corrupted. Corruption can result in 2 types of behaviour : either the byte gets changed (other bytes are still fine), or all bytes after the bad char are different. Either way, unless you know what you are doing, only write down the first byte that was changed and add that byte to the list of bad chars. Then repeat the entire process (create bytearray, paste array into exploit, trigger crash, compare). So, if you discovery that for example \x59 is a bad char too, simply run the bytearray command again :
!mona bytearray -cpb ‘\x00\x0a\x0d’
Repeat the entire process and do another compare. If the resulting array was found at the right location, unmodified, then you have determined all bad chars. If not, just find the next bad char, exclude it from the array and try again. The process might be time consuming, and there may even be better ways to do this, but this technique works just fine.
Look at other locations where your array was found. Maybe one of those locations have a non-corrupted copy of the array, providing you with an alternative location to place your shellcode without having to bother about bad chars. All you would need to do is write some jumpcode (or egghunter) to jump to that location.
View the video online here or blog here.
compare
We already discussed the basic functionality of “compare” in the documentation of previous command.
0BADF00D
0BADF00D Usage of command 'compare' :
0BADF00D -----------------------------
Compares contents of a binary file with locations in memory.
Mandatory argument :
-f : full path to binary file
Optional argument :
-a : the exact address of the bytes in memory (address or register).
If you don't specify an address, I will try to locate the bytes in memory
by looking at the first 8 bytes.
-s : skip locations that belong to a module
-unicode : perform unicode search. Note: input should *not* be unicode, it will be expanded automatically
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
You can use this command to find bad chars (as explained earlier), but you can also use it to see if your shellcode got corrupted in memory.
You could, for example, write tag+tag+shellcode (egghunter egg) to a binary file and use the compare command to find the eggs and show if they got corrupted or not. If some of them do, others don’t, you’ll know if and how you have to tweak the start location of the hunter, or just use a checksum routine.
calltrace
Log all CALL instructions
0BADF00D
0BADF00D Usage of command 'calltrace' :
0BADF00D -------------------------------
Logs all CALL instructions
Mandatory arguments :
-m module : specify what module to search for CALL instructions (global option)
Optional arguments :
-a : number of arguments to show for each CALL
-r : also trace RETN instructions (will slow down process!)
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
config / conf
Manage configuration file (mona.ini).
0BADF00D Usage of command 'config' :
0BADF00D ----------------------------
Change config of mona.py
Available options are : -get , -set or -add
Valid parameters are : workingfolder, excluded_modules, author
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
Set our current work directory as follow:
!mona config -set workingfolder C:\logs\%p
copy / cp
Copy bytes from one location to another.
0BADF00D Usage of command 'copy' :
0BADF00D --------------------------
Copies bytes from one location to another.
Arguments:
-src : The source address
-dst : The destination address
-n : The number of bytes to copy
0BADF00D
0BADF00D
we can copy 0x10 bytes from 0x00446000 to 0x00446010.
!mona copy -src 0x00446000 -dst 0x00446010 -n 0x10
deferbp / bu
Set a memory breakpoint on read/write or execute of a given address.
0BADF00D
0BADF00D Usage of command 'deferbp' :
0BADF00D -----------------------------
Set a deferred breakpoint
Mandatory arguments :
-a ,,...
target can be an address, a modulename.functionname or module.dll+offset (hex value)
Warning, modulename.functionname is case sensitive !
0BADF00D
dump
Dump the specified range of memory to a file
0BADF00D
0BADF00D Usage of command 'dump' :
0BADF00D --------------------------
Dump the specified memory range to a file. Either the end address or the size of
buffer needs to be specified.
Mandatory arguments :
-s : start address
-f : the name of the file where to write the bytes
Optional arguments:
-n : the number of bytes to copy (size of the buffer)
-e : the end address of the copy
0BADF00D
we can dump 1000 bytes from 0x00437854.
!mona dump -s 0x00437854 -f C:\logs\RM2MP3Converter\dump.bin -n 1000
egghunter
Create egghunter code.
0BADF00D
0BADF00D Usage of command 'egghunter' :
0BADF00D -------------------------------
Creates an egghunter routine
Optional arguments :
-t : tag (ex: w00t). Default value is w00t
-c : enable checksum routine. Only works in conjunction with parameter -f
-f : file containing the shellcode
-startreg : start searching at the address pointed by this reg
-wow64 : generate wow64 egghunter. Default is traditional 32bit egghunter
DEP Bypass options :
-depmethod : method can be "virtualprotect", "copy" or "copy_size"
-depreg : sets the register that contains a pointer to the API function to bypass DEP.
By default this register is set to ESI
-depsize : sets the size for the dep bypass routine
-depdest : this register points to the location of the egghunter itself.
When bypassing DEP, the egghunter is already marked as executable.
So when using the copy or copy_size methods, the DEP bypass in the egghunter
would do a "copy 2 self". In order to be able to do so, it needs a register
where it can copy the shellcode to.
If you leave this empty, the code will contain a GetPC routine.
0BADF00D
0BADF00D
If you don’t specify a file containing shellcode, it will simply produce a regular egghunter routine. If you specify a filename, you’ll have the ability to use option -c, which will insert a checksum routine for the shellcode in the file. The checksum routine will only work for that particular shellcode (or any other shellcode with the same size, producing the same checksum value :) )
Using the various -dep* parameters, you can tell the egghunter routine to create code that will bypass DEP on the found egg, before running it. You can find more information about this technique here.
encode / enc
Encode a series of bytes.
0BADF00D
0BADF00D Usage of command 'enc' :
0BADF00D -------------------------
Encode a series of bytes
Arguments:
-t : Type of encoder to use. Allowed value(s) are alphanum
-s : The bytes to encode (or use -f instead)
-f : The full path to the binary file that contains the bytes to encode
0BADF00D
filecompare / fc
Compares 2 or more files created by mona using the same output commands.
0BADF00D Usage of command 'filecompare' :
0BADF00D ---------------------------------
Compares 2 or more files created by mona using the same output commands
Make sure to use files that are created with the same version of mona and
contain the output of the same mona command.
Mandatory argument : -f "file1,file2,...filen"
Put all filenames between one set of double quotes, and separate files with comma's.
You can specify a foldername as well with -f, all files in the root of that folder will be part of the compare.
Output will be written to filecompare.txt and filecompare_not.txt (not matching pointers)
Optional parameters :
-contains "INSTRUCTION" (will only list if instruction is found)
-nostrict (will also list pointer is instructions don't match in all files)
-range : find overlapping ranges for all pointers + range.
When using -range, the -contains and -nostrict options will be ignored
-ptronly : only show matching pointers (slightly faster). Doesn't work when 'range' is used
0BADF00D
For example:
!mona filecompare -f "C:\logs\RM2MP3Converter\pattern.txt.old","C:\logs\RM2MP3Converter\pattern.txt.old2"
find
The “find” command has improved a lot since its initial implementation in pvefindaddr. It’s faster, but above all it’s more flexible and has a shiney new “recursive” search feature.
0BADF00D Usage of command 'find' :
0BADF00D --------------------------
Find a sequence of bytes in memory.
Mandatory argument : -s : the sequence to search for. If you specified type 'file', then use -s to specify the file.
This file needs to be a file created with mona.py, containing pointers at the begin of each line.
Optional arguments:
-type : Type of pattern to search for : bin,asc,ptr,instr,file
-b : base/bottom address of the search range
-t : top address of the search range
-c : skip consecutive pointers but show length of the pattern instead
-p2p : show pointers to pointers to the pattern (might take a while !)
this setting equals setting -level to 1
-level : do recursive (p2p) searches, specify number of levels deep
if you want to look for pointers to pointers, set level to 1
-offset : subtract a value from a pointer at a certain level
-offsetlevel : level to subtract a value from a pointer
-r : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value.
This value indicates the number of bytes to step backwards for each search
-unicode : used in conjunction with search type asc, this will convert the search pattern to unicode first
-ptronly : Only show the pointers, skip showing info about the pointer (slightly faster)
0BADF00D
By default, “find” will look for all locations (accesslevel set to *). Furthermore, by default, it will search the entire memory space (including the memory space of modules that were excluded).
Example: Find all locations where the string “w00t” can be found:
!mona find -type asc -s "w00t"
Example: Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona find -type instr -s "jmp esp" -b 018F0000 -t 1DBD000
---------- Mona command started on 2015-02-26 19:26:29 (v2.0, rev 554) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : *
0BADF00D - Treating search pattern as instr
0BADF00D [+] Searching from 0x018f0000 to 0x01dbd000
0BADF00D [+] Preparing output file 'find.txt'
0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\find.txt
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Writing results to C:\logs\RM2MP3Converter\find.txt
0BADF00D - Number of pointers of type '"jmp esp"' : 13
0BADF00D [+] Results :
01AE023F 0x01ae023f (b+0x001f023f) : "jmp esp" | {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AFD3DB 0x01afd3db (b+0x0020d3db) : "jmp esp" | {PAGE_READONLY} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01AAF23A 0x01aaf23a (b+0x001bf23a) : "jmp esp" | {PAGE_EXECUTE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B22A 0x01b1b22a (b+0x0022b22a) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1B72D 0x01b1b72d (b+0x0022b72d) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B1CD89 0x01b1cd89 (b+0x0022cd89) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B25C9E 0x01b25c9e (b+0x00235c9e) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B303D9 0x01b303d9 (b+0x002403d9) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B31400 0x01b31400 (b+0x00241400) : "jmp esp" | null {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3736D 0x01b3736d (b+0x0024736d) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B3CE34 0x01b3ce34 (b+0x0024ce34) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B40159 0x01b40159 (b+0x00250159) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
01B42EC0 0x01b42ec0 (b+0x00252ec0) : "jmp esp" | {PAGE_READWRITE} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D Found a total of 13 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:01.252000
As we known, 0x01AAF23A is a good choice.
Example: Find All locations that have a pointer to any of the pointer in file c:\temp\seh.txt
!mona find -type file -s "c:\temp\seh.txt" -p2p
Example : let’s say you control ECX, and your payload is at ESP+4
This is the code that will give you control over EIP :
MOV EAX,DWORD PTR DS:[ECX]
CALL [EAX+58]
The idea is to retun to the payload at ESP+4 to initiate a rop chain.
Think about it. What kind of pointer would we need to put in ECX ?
Answer : We need a pointer to a pointer(2), where pointer(2) – 0x58 points to a pointer to ADD ESP,4/RET.
For sure you find one manually. If you have time.
In order to instruct mona to find all pointers, you’ll need 2 commands :
One to find all stackpivots of 4
One to find the ptr to ptr-0x58 to ptr to one of the stackpivots
Solution :
# first, get all stackpivots, save output to c:\logs\stackpivot.txt
!mona config -set workingfolder c:\logs
!mona stackpivot -distance 4,4
# read the file and find ptr to ptr-58 to each of the pointers
!mona find -type file -s "c:\logs\stackpivot.txt" -x *
-offset 88 -level 2 -offsetlevel 2
So basically, we need to apply the offset to level 2. (which is “look for ptr to ptr to ptr” in this case, because we already read ptr to the instructions into stackpivot).
Before looking for a pointer to a pointer in that level, the offset will be subtracted from the target pointer first.
Hint : in order to debug this routine, you’ll have to set a breakpoint on reading [ECX]. Suppose you put 7a10b473 in ECX, then – prior to triggering the bug – set a breakpoint on reading that location :
!mona bp -t READ -a 0x7a10b473
findmsp
Find cyclic pattern in memory.
0BADF00D Usage of command 'findmsp' :
0BADF00D -----------------------------
Finds begin of a cyclic pattern in memory, looks if one of the registers contains (is overwritten) with a cyclic pattern
or points into a cyclic pattern. findmsp will also look if a SEH record is overwritten and finally,
it will look for cyclic patterns on the stack, and pointers to cyclic pattern on the stack.
Optional argument :
-distance : distance from ESP, applies to search on the stack. Default : search entire stack
Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
0BADF00D
findwild
Find instructions in memory, accept wildcards.
0BADF00D
0BADF00D Usage of command 'findwild' :
0BADF00D ------------------------------
Find instructions in memory, accepts wildcards :
Mandatory arguments :
-s (separate instructions with #)
Optional arguments :
-b : base/bottom address of the search range
-t : top address of the search range
-depth : number of instructions to go deep
-all : show all instruction chains, even if it contains something that might break the chain
-distance min=nr,max=nr : you can use a numeric offset wildcard (a single *) in the first instruction of the search
the distance parameter allows you to specify the range of the offset
Inside the instructions string, you can use the following wildcards :
* = any instruction
r32 = any register
Example : pop r32#*#xor eax,eax#*#pop esi#ret
0BADF00D
Instructions are separated with #. You can use * to indicate that you want to allow any instruction(s). You can also use r32 to indicate that you want to allow any register.
Example : Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn :
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"
You can, of course, use any of the global options to finetune/limit the search.
Output will be written to findwild.txt.
fwptr / fp
Find Writeable Pointers that get called.
geteat ** / eat
Show EAT of selected module(s)
!mona eat
!mona eat -s "32"
getiat / iat
Show IAT of selected module(s)
!mona iat
!mona iat -s "32"
getpc
Show getpc routines for specific registers.
0BADF00D
0BADF00D Usage of command 'getpc' :
0BADF00D ---------------------------
Find getpc routine for specific register
Mandatory argument :
-r : register (ex: eax)
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona getpc -r eax
0BADF00D [+] Preparing output file 'getpc.txt'
0BADF00D - (Re)setting logfile C:\logs\RM2MP3Converter\getpc.txt
eax| jmp short back:
"\xeb\x03\x58\xff\xd0\xe8\xf8\xff\xff\xff"
eax| call + 4:
"\xe8\xff\xff\xff\xff\xc3\x58"
eax| fstenv:
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x58"
0BADF00D
0BADF00D Wrote to file C:\logs\RM2MP3Converter\getpc.txt
0BADF00D
gflags / gf
Show current GFlags settings from PEB.NtGlobalFlag.
0BADF00D
0BADF00D [+] This mona.py action took 0:00:01.072000
0BADF00D [+] Command used:
0BADF00D !mona gflags
0BADF00D [+] NtGlobalFlag: 0x00000070
0BADF00D 0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D 0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D 0x00000010 : +htc - Enable Heap Tail Checking
header
Read a binary file and convert to a nice ‘header’ string.
!mona header -f "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe" -t python
heap
Show heap related information.
0BADF00D
0BADF00D Usage of command 'heap' :
0BADF00D --------------------------
Show information about various heap chunk lists
Mandatory arguments :
-h : base address of the heap to query
-t : where type is 'segments', 'chunks', 'layout',
'fea' (let mona determine the frontend allocator),
'lal' (force display of LAL FEA, only on XP/2003),
'lfh' (force display of LFH FEA (Vista/Win7/...)),
'bea' (backend allocator, mona will automatically determine what it is),
'all' (show all information)
Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results.
Optional arguments :
-expand : Works only in combination with 'layout', will include VA/LFH/... chunks in the search.
VA/LFH chunks may be very big, so this might slow down the search.
-stat : show statistics (also works in combination with -h heap, -t segments or -t chunks
-size : only show strings of at least the specified size. Works in combination with 'layout'
-after : only show current & next chunk layout entries when an entry contains this data
(Only works in combination with 'layout')
-v : show data / write verbose info to the Log window
0BADF00D
help
show help
hidedebug / hd
Attempt to hide the debugger from the process.
info
Show information about a given address in the context of the loaded application.
0BADF00D !mona info -a 0x00437854
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] NtGlobalFlag: 0x00000070
0BADF00D 0x00000040 : +hpc - Enable Heap Parameter Checking
0BADF00D 0x00000020 : +hfc - Enable Heap Free Checking
0BADF00D 0x00000010 : +htc - Enable Heap Tail Checking
0BADF00D
0BADF00D [+] Information about address 0x00437854
773D0000 Modules C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0BADF00D startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
0BADF00D Address is part of page 0x00401000 - 0x0043c000
0BADF00D Section : .text
0BADF00D Address is part of a module:
0BADF00D [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D Offset from module base: 0x37854
0BADF00D
0BADF00D [+] Disassembly:
0BADF00D Instruction at 00437854 : PUSH EBP
0BADF00D
infodump / if
Dumps contents of memory to file. Contents will include all pages that don’t belong to stack, heap or loaded modules.
Output will be written to infodump.xml
jmp / j
Find pointers that will allow you to a register.
!mona jmp -r esp
jop
Find gadgets that can be used in a JOP exploit.
kb
Manage Knowledgebase data.
0BADF00D
0BADF00D Usage of command 'kb' :
0BADF00D ------------------------
Manage knowledgebase data
Mandatory arguments:
- : type can be 'list', 'set' or 'del'
To 'set' ( = add / update ) a KB entry, or 'del' an entry,
you will need to specify 2 additional arguments:
-id : the Knowledgebase ID
-value : the value to add/update. In case of lists, use a comma to separate entries.
The -list parameter will show all current ID's
To see the contents of a specific ID, use the -id parameter.
0BADF00D
modules / mod
Show information about the loaded modules.
0BADF00D !mona modules
---------- Mona command started on 2015-02-26 21:19:37 (v2.0, rev 554) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Module info :
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D 0x76080000 | 0x760e5000 | 0x00065000 | False | True | False | False | True | 6.02.3104.0 [MSVCP60.dll] (C:\WINDOWS\system32\MSVCP60.dll)
0BADF00D 0x02020000 | 0x02030000 | 0x00010000 | True | False | False | False | False | -1.0- [MSRMfilter02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter02.dll)
0BADF00D 0x5b860000 | 0x5b8b5000 | 0x00055000 | False | True | False | False | True | 5.1.2600.5512 [NETAPI32.dll] (C:\WINDOWS\system32\NETAPI32.dll)
0BADF00D 0x7e1e0000 | 0x7e282000 | 0x000a2000 | False | True | False | False | True | 6.00.2900.5512 [urlmon.dll] (C:\WINDOWS\system32\urlmon.dll)
0BADF00D 0x00400000 | 0x004be000 | 0x000be000 | False | False | False | False | False | 2.7.3.700 [RM2MP3Converter.exe] (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D 0x77a80000 | 0x77b15000 | 0x00095000 | False | True | False | False | True | 5.131.2600.5512 [CRYPT32.dll] (C:\WINDOWS\system32\CRYPT32.dll)
0BADF00D 0x76f20000 | 0x76f47000 | 0x00027000 | False | True | False | False | True | 5.1.2600.5512 [DNSAPI.dll] (C:\WINDOWS\system32\DNSAPI.dll)
0BADF00D 0x77c70000 | 0x77c94000 | 0x00024000 | False | True | False | False | True | 5.1.2600.5512 [msv1_0.dll] (C:\WINDOWS\system32\msv1_0.dll)
0BADF00D 0x77c10000 | 0x77c68000 | 0x00058000 | False | True | False | False | True | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)
0BADF00D 0x7c900000 | 0x7c9af000 | 0x000af000 | False | True | False | False | True | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)
0BADF00D 0x01860000 | 0x018d1000 | 0x00071000 | True | False | False | False | False | -1.0- [MSRMCcodec00.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll)
0BADF00D 0x71a90000 | 0x71a98000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)
0BADF00D 0x018f0000 | 0x01dbd000 | 0x004cd000 | True | False | False | False | False | -1.0- [MSRMCcodec02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D 0x01dc0000 | 0x01dd1000 | 0x00011000 | True | True | False | False | True | 7.0.2600.5512 [MSVCIRT.dll] (C:\WINDOWS\system32\MSVCIRT.dll)
0BADF00D 0x00ab0000 | 0x00b4f000 | 0x0009f000 | True | False | False | False | False | -1.0- [MSRMfilter01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll)
0BADF00D 0x02240000 | 0x02252000 | 0x00012000 | True | False | False | False | False | -1.0- [MSLog.dll] (C:\Program Files\Easy RM to MP3 Converter\MSLog.dll)
0BADF00D 0x76fc0000 | 0x76fc6000 | 0x00006000 | False | True | False | False | True | 5.1.2600.5512 [rasadhlp.dll] (C:\WINDOWS\system32\rasadhlp.dll)
0BADF00D 0x10000000 | 0x10071000 | 0x00071000 | False | False | False | False | False | -1.0- [MSRMfilter03.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
0BADF00D 0x76ee0000 | 0x76f1c000 | 0x0003c000 | False | True | False | False | True | 5.1.2600.5512 [RASAPI32.DLL] (C:\WINDOWS\system32\RASAPI32.DLL)
0BADF00D 0x77fe0000 | 0x77ff1000 | 0x00011000 | False | True | False | False | True | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)
0BADF00D 0x71aa0000 | 0x71aa8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)
0BADF00D 0x73dd0000 | 0x73ece000 | 0x000fe000 | False | True | False | False | True | 6.02.4131.0 [MFC42.DLL] (C:\WINDOWS\system32\MFC42.DLL)
0BADF00D 0x774e0000 | 0x7761d000 | 0x0013d000 | False | True | False | False | True | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)
0BADF00D 0x77f60000 | 0x77fd6000 | 0x00076000 | False | True | False | False | True | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)
0BADF00D 0x662b0000 | 0x66308000 | 0x00058000 | False | True | False | False | True | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)
0BADF00D 0x7e410000 | 0x7e4a1000 | 0x00091000 | False | True | False | False | True | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)
0BADF00D 0x763b0000 | 0x763f9000 | 0x00049000 | False | True | False | False | True | 6.00.2900.5512 [comdlg32.dll] (C:\WINDOWS\system32\comdlg32.dll)
0BADF00D 0x71ad0000 | 0x71ad9000 | 0x00009000 | False | True | False | False | True | 5.1.2600.5512 [wsock32.dll] (C:\WINDOWS\system32\wsock32.dll)
0BADF00D 0x76e80000 | 0x76e8e000 | 0x0000e000 | False | True | False | False | True | 5.1.2600.5512 [rtutils.dll] (C:\WINDOWS\system32\rtutils.dll)
0BADF00D 0x01fe0000 | 0x01ffe000 | 0x0001e000 | True | False | False | False | True | 1.0.1.8 [wmatimer.dll] (C:\WINDOWS\system32\wmatimer.dll)
0BADF00D 0x5ad70000 | 0x5ada8000 | 0x00038000 | False | True | False | False | True | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)
0BADF00D 0x77120000 | 0x771ab000 | 0x0008b000 | False | True | False | False | True | 5.1.2600.5512 [OLEAUT32.dll] (C:\WINDOWS\system32\OLEAUT32.dll)
0BADF00D 0x722b0000 | 0x722b5000 | 0x00005000 | False | True | False | False | True | 5.1.2600.5512 [sensapi.dll] (C:\WINDOWS\system32\sensapi.dll)
0BADF00D 0x7c9c0000 | 0x7d1d7000 | 0x00817000 | False | True | False | False | True | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)
0BADF00D 0x77e70000 | 0x77f02000 | 0x00092000 | False | True | False | False | True | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)
0BADF00D 0x77b20000 | 0x77b32000 | 0x00012000 | False | True | False | False | True | 5.1.2600.5512 [MSASN1.dll] (C:\WINDOWS\system32\MSASN1.dll)
0BADF00D 0x773d0000 | 0x774d3000 | 0x00103000 | False | True | False | False | True | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0BADF00D 0x769c0000 | 0x76a74000 | 0x000b4000 | False | True | False | False | True | 5.1.2600.5512 [USERENV.dll] (C:\WINDOWS\system32\USERENV.dll)
0BADF00D 0x76e90000 | 0x76ea2000 | 0x00012000 | False | True | False | False | True | 5.1.2600.5512 [rasman.dll] (C:\WINDOWS\system32\rasman.dll)
0BADF00D 0x771b0000 | 0x7725a000 | 0x000aa000 | False | True | False | False | True | 6.00.2900.5512 [WININET.dll] (C:\WINDOWS\system32\WININET.dll)
0BADF00D 0x5d090000 | 0x5d12a000 | 0x0009a000 | False | True | False | False | True | 5.82 [COMCTL32.dll] (C:\WINDOWS\system32\COMCTL32.dll)
0BADF00D 0x76d60000 | 0x76d79000 | 0x00019000 | False | True | False | False | True | 5.1.2600.5512 [iphlpapi.dll] (C:\WINDOWS\system32\iphlpapi.dll)
0BADF00D 0x71a50000 | 0x71a8f000 | 0x0003f000 | False | True | False | False | True | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\System32\mswsock.dll)
0BADF00D 0x76b40000 | 0x76b6d000 | 0x0002d000 | False | True | False | False | True | 5.1.2600.5512 [WINMM.dll] (C:\WINDOWS\system32\WINMM.dll)
0BADF00D 0x7c800000 | 0x7c8f6000 | 0x000f6000 | False | True | False | False | True | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)
0BADF00D 0x77f10000 | 0x77f59000 | 0x00049000 | False | True | False | False | True | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)
0BADF00D 0x018e0000 | 0x018e7000 | 0x00007000 | True | False | False | False | False | -1.0- [MSRMCcodec01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dll)
0BADF00D 0x73000000 | 0x73026000 | 0x00026000 | False | True | False | False | True | 5.1.2600.5512 [WINSPOOL.DRV] (C:\WINDOWS\system32\WINSPOOL.DRV)
0BADF00D 0x77c00000 | 0x77c08000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [VERSION.dll] (C:\WINDOWS\system32\VERSION.dll)
0BADF00D 0x77dd0000 | 0x77e6b000 | 0x0009b000 | False | True | False | False | True | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)
0BADF00D 0x71ab0000 | 0x71ac7000 | 0x00017000 | False | True | False | False | True | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)
0BADF00D 0x76eb0000 | 0x76edf000 | 0x0002f000 | False | True | False | False | True | 5.1.2600.5512 [TAPI32.dll] (C:\WINDOWS\system32\TAPI32.dll)
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D
noaslr
Show modules that are not aslr or rebased
nosafeseh
Show modules that are not safeseh protected
nosafesehaslr
Show modules that are not safeseh protected, not aslr and not rebased.
offset
Calcalate the number og bytes between two addresses.
pageacl / pacl
Show ACL associated with mapped pages.
pattern_create / pc
Create a cyclic pattern of a given size.
0BADF00D Usage of command 'pattern_create' :
0BADF00D ------------------------------------
Create a cyclic pattern of a given size. Output will be written to pattern.txt
Mandatory argument : size (numberic value)
Optional arguments :
-js : output pattern in unicode escaped javascript format
-extended : extend the 3rd characterset (numbers) with punctuation marks etc
-c1 : set the first charset to this string of characters
-c2 : set the second charset to this string of characters
-c3 : set the third charset to this string of characters
0BADF00D
pattern_offset / po
Find location of 4 bytes in a cyclic pattern.
0BADF00D
0BADF00D Usage of command 'pattern_offset' :
0BADF00D ------------------------------------
Find the location of 4 bytes in a cyclic pattern
Mandatory argument : the 4 bytes to look for
Note : you can also specify a register
Optional arguments :
-extended : extend the 3rd characterset (numbers) with punctuation marks etc
-c1 : set the first charset to this string of characters
-c2 : set the second charset to this string of characters
-c3 : set the third charset to this string of characters
Note : the charset must match the charset that was used to create the pattern !
0BADF00D
For example:
!mona pattern_create 1000 # get a exception EIP address
!mona pattern_offset EIP # return the offset
peb
Show location of the PEB
rop
Find gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc
Find pointers to pointers (IAT) to interesting functions that can be used in your rop chain.
seh
Find pointers to assist with SEH overwrite exploits.
sehchain / exchain
Show the current SEH chain
skeleton
Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit.
stackpivot
Finds stackpivots (move stackpointer to controlled area)
stacks
Show all stacks for all threads in the running application.
string / str
Read or write a string from/to memory
suggest
Suggest an exploit buffer structure
0BADF00D Usage of command 'suggest' :
0BADF00D -----------------------------
Suggests an exploit buffer structure based on pointers to a cyclic pattern
Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
Mandatory argument in case you are using WinDBG:
-t : skeletontype. Valid types are :
tcpclient:port, udpclient:port, fileformat:extension
Examples : -t tcpclient:21
-t fileformat:pdf
0BADF00D
Video here.
teb
Show TEB related information
unicodealign / ua
Generate venetian alignment code for unicode stack buffer overflow.
update / up
Update mona to the lastest version
!mona up -http
[1]. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/