如何在Windbg中安装mona
文章目录
01 问题描述
- 在Windows的Windbg中安装Mona
- 环境要求
- 检查是否安装了Windbg
- 检查是否安装Python2.x
- 1.Mona.py—放入Windbg.exe文件夹下
- 2.pykd.pyd—WinDbg的Python插件
- 3.windbglib.py—放入Windbg.exe文件夹下
-
资源链接
[1] WinDbglib+pykd
[2] Mona
[3] pykd
02 解决步骤
2.1 安装和检查Python2.x环境并确保安装了Windbg
- 没装的安装好相关版本的python
-
Win+R输入cmd,输入python,查看是否已经安装了Python2.x.x,如未安装需要先安装Python2.x环境
-
- 在15pb虚拟机的下载文件夹中有python-2.7.9
2.2 把Mona.py,windbglib.py放入Windbg.exe同级文件夹下,pykd.pyd放到windbg安装目录下的winext文件夹下
2.3 开启cmd,切换到 C:Program FilesCommon FilesMicrosoft SharedVC下, 执行注册命令 regsvr32 msdia90.dll 系统会弹窗显示成功。
- 除了进行以上的注册,对vcredict也进行注册一下,具体为什么注册还不清楚
2.4 打开windbg,加载符号测试是否成功
- 要保持虚拟机能连上网络,我在断网的时候操作不成功
- 加载符号:srv*c:symbols*http://msdl.microsoft.com/download/symbols
- 或者你不加载的时候它报错是也有这个链接,直接复制那个链接使用即可,如下所示,符号未加载
0:003> .load pykd.pyd
0:003> !py mona
** Warning, no symbol path set ! **
I'll set the symbol path to srv*c:symbols*http://msdl.microsoft.com/download/symbols
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:symbols*http://msdl.microsoft.com/download/symbols
Symbol path set, now reloading symbols...
All set. Please restart WinDBG.
Hold on...
[+] Command used:
!py mona.py
'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit)
Plugin version : 2.0 r616
Python version : 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)]
PyKD version 0.2.0.29
Written by Corelan - https://www.corelan.be
Project page : https://github.com/corelan/mona
|------------------------------------------------------------------|
| |
| _____ ___ ____ ____ ____ _ |
| / __ `__ / __ / __ / __ `/ https://www.corelan.be |
| / / / / / / /_/ / / / / /_/ / https://www.corelan-training.com|
| /_/ /_/ /_/____/_/ /_/__,_/ #corelan (Freenode IRC) |
| |
|------------------------------------------------------------------|
Global options :
----------------
You can use one or more of the following global options on any command that will perform
a search in one or more modules, returning a list of pointers :
-n : Skip modules that start with a null byte. If this is too broad, use
option -cp nonull instead
-o : Ignore OS modules
-p <nr> : Stop search after <nr> pointers.
-m <module,module,...> : only query the given modules. Be sure what you are doing !
You can specify multiple modules (comma separated)
Tip : you can use -m * to include all modules. All other module criteria will be ignored
Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
blah or *blah* = contains blah
-cm <crit,crit,...> : Apply some additional criteria to the modules to query.
You can use one or more of the following criteria :
aslr,safeseh,rebase,nx,os
You can enable or disable a certain criterium by setting it to true or false
Example : -cm aslr=true,safeseh=false
Suppose you want to search for p/p/r in aslr enabled modules, you could call
!mona seh -cm aslr
-cp <crit,crit,...> : Apply some criteria to the pointers to return
Available options are :
unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
-cpb 'x00x01' : Provide list with bad chars, applies to pointers
You can use .. to indicate a range of bytes (in between 2 bad chars)
-x <access> : Specify desired access level of the returning pointers. If not specified,
only executable pointers will be returned.
Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *
Usage :
-------
!mona <command> <parameter>
Available commands and parameters :
? / eval | Evaluate an expression
allocmem / alloc | Allocate some memory in the process
assemble / asm | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba | Creates a byte array, can be used to find bad characters
changeacl / ca | Change the ACL of a given page
compare / cmp | Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory
config / conf | Manage configuration file (mona.ini)
copy / cp | Copy bytes from one location to another
dump | Dump the specified range of memory to a file
dumplog / dl | Dump objects present in alloc/free log file
dumpobj / do | Dump the contents of an object
egghunter / egg | Create egghunter code
encode / enc | Encode a series of bytes
filecompare / fc | Compares 2 or more files created by mona using the same output commands
fillchunk / fchunk | Fill a heap chunk referenced by a register
find / f | Find bytes in memory
findmsp / findmsf | Find cyclic pattern in memory
findwild / fw | Find instructions in memory, accepts wildcards
flow / flw | Simulate execution flows, including all branch combinations
fwptr / fwp | Find Writeable Pointers that get called
geteat / eat | Show EAT of selected module(s)
getiat / iat | Show IAT of selected module(s)
getpc | Show getpc routines for specific registers
gflags / gf | Show current GFlags settings from PEB.NtGlobalFlag
header | Read a binary file and convert content to a nice 'header' string
heap | Show heap related information
help | show help
hidedebug / hd | Attempt to hide the debugger
info | Show information about a given address in the context of the loaded application
infodump / if | Dumps specific parts of memory to file
jmp / j | Find pointers that will allow you to jump to a register
jop | Finds gadgets that can be used in a JOP exploit
jseh | Finds gadgets that can be used to bypass SafeSEH
kb / kb | Manage Knowledgebase data
modules / mod | Show all loaded modules and their properties
noaslr | Show modules that are not aslr or rebased
nosafeseh | Show modules that are not safeseh protected
nosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebased
offset | Calculate the number of bytes between two addresses
pageacl / pacl | Show ACL associated with mapped pages
pattern_create / pc | Create a cyclic pattern of a given size
pattern_offset / po | Find location of 4 bytes in a cyclic pattern
peb / peb | Show location of the PEB
rop | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh | Find pointers to assist with SEH overwrite exploits
sehchain / exchain | Show the current SEH chain
skeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot | Finds stackpivots (move stackpointer to controlled area)
stacks | Show all stacks for all threads in the running application
string / str | Read or write a string from/to memory
suggest | Suggest an exploit buffer structure
teb / teb | Show TEB related information
tobp / 2bp | Generate WinDBG syntax to create a logging breakpoint at given location
unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow
update / up | Update mona to the latest version
Want more info about a given command ? Run !mona help
2.5 输入mona命令检测是否安装mona成功
1.常见mona命令如下
- 输入以下命令运行mona
.load pykd.pyd
!py mona
- 其他的mona命令
//设置工作目录
!py mona config -set workingfolder "D:mona"
//生成3000个字节的顺序字符串,测试溢出点
!py mona pc 3000
//获取溢出点偏移
!py mona po 0x12345678
//查找 jmp esp 指令
!py mona jmp -r esp
//在kernel32.dll模块中查找 jmp esp指令
!py mona jmp -r -esp -m "kernel32.dll"
- 其他mona命令用法自行查阅资料
03 总结
04 参考资料与资源链接
4.1 参考资料
[1] BugMeOut. 为windbg安装mona.py
[3] 官方的安装说明
4.2 资源链接
[1] WinDbglib+pykd
[2] Mona
[3] pykd
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
THE END
二维码