如何在Windbg中安装mona

文章目录

    • 01 问题描述
    • 02 解决步骤
      • 2.1 安装和检查Python2.x环境并确保安装了Windbg
      • 2.2 把`Mona.py,windbglib.py`放入Windbg.exe同级文件夹下,`pykd.pyd`放到windbg安装目录下的`winext`文件夹下
      • 2.3 开启cmd,切换到 `C:\Program Files\Common Files\Microsoft Shared\VC下,` 执行注册命令 `regsvr32 msdia90.dll` 系统会弹窗显示成功。
      • 2.4 打开windbg,加载符号测试是否成功
      • 2.5 输入mona命令检测是否安装mona成功
    • 03 总结
    • 04 参考资料与资源链接
      • 4.1 参考资料
      • 4.2 资源链接

01 问题描述

  • 在Windows的Windbg中安装Mona
  • 环境要求
    • 检查是否安装了Windbg
    • 检查是否安装Python2.x
    • 1.Mona.py—放入Windbg.exe文件夹下
    • 2.pykd.pyd—WinDbg的Python插件
    • 3.windbglib.py—放入Windbg.exe文件夹下
  • 资源链接
    [1] WinDbglib+pykd
    [2] Mona
    [3] pykd

如何在Windbg中安装mona_第1张图片

02 解决步骤

2.1 安装和检查Python2.x环境并确保安装了Windbg

  • 没装的安装好相关版本的python
    • Win+R 输入cmd,输入python,查看是否已经安装了Python2.x.x,如未安装需要先安装Python2.x环境
  • 在15pb虚拟机的下载文件夹中有python-2.7.9

如何在Windbg中安装mona_第2张图片

如何在Windbg中安装mona_第3张图片

2.2 把Mona.py,windbglib.py放入Windbg.exe同级文件夹下,pykd.pyd放到windbg安装目录下的winext文件夹下

如何在Windbg中安装mona_第4张图片

如何在Windbg中安装mona_第5张图片

2.3 开启cmd,切换到 C:\Program Files\Common Files\Microsoft Shared\VC下, 执行注册命令 regsvr32 msdia90.dll 系统会弹窗显示成功。

如何在Windbg中安装mona_第6张图片

  • 除了进行以上的注册,对vcredict也进行注册一下,具体为什么注册还不清楚

如何在Windbg中安装mona_第7张图片

2.4 打开windbg,加载符号测试是否成功

  • 要保持虚拟机能连上网络,我在断网的时候操作不成功
  • 加载符号:srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    • 或者你不加载的时候它报错是也有这个链接,直接复制那个链接使用即可,如下所示,符号未加载
0:003> .load pykd.pyd
0:003> !py mona

** Warning, no symbol path set ! ** 
   I'll set the symbol path to srv*c:\symbols*http://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
   Symbol path set, now reloading symbols...
   All set. Please restart WinDBG.

Hold on...
[+] Command used:
!py mona.py
     'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit)
     Plugin version : 2.0 r616
     Python version : 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)]
     PyKD version 0.2.0.29
     Written by Corelan - https://www.corelan.be
     Project page : https://github.com/corelan/mona
    |------------------------------------------------------------------|
    |                                                                  |
    |    _____ ___  ____  ____  ____ _                                 |
    |    / __ `__ \/ __ \/ __ \/ __ `/  https://www.corelan.be         |
    |   / / / / / / /_/ / / / / /_/ /  https://www.corelan-training.com|
    |  /_/ /_/ /_/\____/_/ /_/\__,_/  #corelan (Freenode IRC)          |
    |                                                                  |
    |------------------------------------------------------------------|

Global options :
----------------
You can use one or more of the following global options on any command that will perform
a search in one or more modules, returning a list of pointers :
 -n                     : Skip modules that start with a null byte. If this is too broad, use
                          option -cp nonull instead
 -o                     : Ignore OS modules
 -p <nr>                : Stop search after <nr> pointers.
 -m <module,module,...> : only query the given modules. Be sure what you are doing !
                          You can specify multiple modules (comma separated)
                          Tip : you can use -m *  to include all modules. All other module criteria will be ignored
                          Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
                          blah or *blah* = contains blah
 -cm <crit,crit,...>    : Apply some additional criteria to the modules to query.
                          You can use one or more of the following criteria :
                          aslr,safeseh,rebase,nx,os
                          You can enable or disable a certain criterium by setting it to true or false
                          Example :  -cm aslr=true,safeseh=false
                          Suppose you want to search for p/p/r in aslr enabled modules, you could call
                          !mona seh -cm aslr
 -cp <crit,crit,...>    : Apply some criteria to the pointers to return
                          Available options are :
                          unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
                          Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
 -cpb '\x00\x01'        : Provide list with bad chars, applies to pointers
                          You can use .. to indicate a range of bytes (in between 2 bad chars)
 -x <access>            : Specify desired access level of the returning pointers. If not specified,
                          only executable pointers will be returned.
                          Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *

Usage :
-------

 !mona <command> <parameter>

Available commands and parameters :

? / eval             | Evaluate an expression
allocmem / alloc     | Allocate some memory in the process
assemble / asm       | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf       | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba       | Creates a byte array, can be used to find bad characters
changeacl / ca       | Change the ACL of a given page
compare / cmp        | Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory
config / conf        | Manage configuration file (mona.ini)
copy / cp            | Copy bytes from one location to another
dump                 | Dump the specified range of memory to a file
dumplog / dl         | Dump objects present in alloc/free log file
dumpobj / do         | Dump the contents of an object
egghunter / egg      | Create egghunter code
encode / enc         | Encode a series of bytes
filecompare / fc     | Compares 2 or more files created by mona using the same output commands
fillchunk / fchunk   | Fill a heap chunk referenced by a register
find / f             | Find bytes in memory
findmsp / findmsf    | Find cyclic pattern in memory
findwild / fw        | Find instructions in memory, accepts wildcards
flow / flw           | Simulate execution flows, including all branch combinations
fwptr / fwp          | Find Writeable Pointers that get called
geteat / eat         | Show EAT of selected module(s)
getiat / iat         | Show IAT of selected module(s)
getpc                | Show getpc routines for specific registers
gflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag
header               | Read a binary file and convert content to a nice 'header' string
heap                 | Show heap related information
help                 | show help
hidedebug / hd       | Attempt to hide the debugger
info                 | Show information about a given address in the context of the loaded application
infodump / if        | Dumps specific parts of memory to file
jmp / j              | Find pointers that will allow you to jump to a register
jop                  | Finds gadgets that can be used in a JOP exploit
jseh                 | Finds gadgets that can be used to bypass SafeSEH
kb / kb              | Manage Knowledgebase data
modules / mod        | Show all loaded modules and their properties
noaslr               | Show modules that are not aslr or rebased
nosafeseh            | Show modules that are not safeseh protected
nosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased
offset               | Calculate the number of bytes between two addresses
pageacl / pacl       | Show ACL associated with mapped pages
pattern_create / pc  | Create a cyclic pattern of a given size
pattern_offset / po  | Find location of 4 bytes in a cyclic pattern
peb / peb            | Show location of the PEB
rop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh                  | Find pointers to assist with SEH overwrite exploits
sehchain / exchain   | Show the current SEH chain
skeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot           | Finds stackpivots (move stackpointer to controlled area)
stacks               | Show all stacks for all threads in the running application
string / str         | Read or write a string from/to memory
suggest              | Suggest an exploit buffer structure
teb / teb            | Show TEB related information
tobp / 2bp           | Generate WinDBG syntax to create a logging breakpoint at given location
unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
update / up          | Update mona to the latest version

Want more info about a given command ?  Run !mona help

如何在Windbg中安装mona_第8张图片

2.5 输入mona命令检测是否安装mona成功

1.常见mona命令如下

  • 输入以下命令运行mona
.load pykd.pyd
!py mona

如何在Windbg中安装mona_第9张图片

  • 其他的mona命令
//设置工作目录
!py mona config -set workingfolder "D:\mona\"
//生成3000个字节的顺序字符串,测试溢出点
!py mona pc 3000
//获取溢出点偏移
!py mona po 0x12345678
//查找 jmp esp 指令
!py mona jmp -r esp
//在kernel32.dll模块中查找 jmp esp指令
!py mona jmp -r -esp -m "kernel32.dll"

如何在Windbg中安装mona_第10张图片

如何在Windbg中安装mona_第11张图片

  • 其他mona命令用法自行查阅资料

03 总结

如何在Windbg中安装mona_第12张图片

04 参考资料与资源链接

4.1 参考资料

[1] BugMeOut. 为windbg安装mona.py

[2] windbg安装mona.py插件

[3] 官方的安装说明

4.2 资源链接

[1] WinDbglib+pykd

[2] Mona

[3] pykd

你可能感兴趣的:(解决问题记录,安全漏洞)