-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmona2.html
23 lines (18 loc) · 8.77 KB
/
mona2.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!DOCTYPE html>
<html>
<head>
<title>Mona 2</title>
<link rel="stylesheet" href="styles.css">
<link rel="stylesheet" href="highlight/styles/stackoverflow-dark.min.css">
<script src="highlight/highlight.min.js"></script>
<script>hljs.highlightAll();</script>
</head>
<body>
<div class="inner-content"><header class="page-header"><h1 class="page-title">Mona 2</h1></header><div class="page-content"><p><span style="color: #00ccff;">Mona 2</span> is a very useful extension developed by the <span style="color: #00ccff;">Corelan Team</span>. Originally written for <span style="color: #00ccff;">Immunity Debugger</span>, it now works in <span style="color: #00ccff;">WinDbg</span> as well.</p><h2>Installation in WinDbg</h2><p>You’ll need to install everything for both WinDbg <span style="color: #00ccff;">x86</span> and WinDbg <span style="color: #00ccff;">x64</span>:</p><ol><li>Install <span style="color: #00ccff;">Python 2.7</span> (download it from <a href="https://www.python.org/downloads/">here</a>)<br> Install the x86 and x64 versions in different directories, e.g. <span style="color: #00ff00;">c:\python27(32)</span> and <span style="color: #00ff00;">c:\python27</span>.</li><li>Download the right zip package from <a href="http://pykd.codeplex.com/">here</a>, and extract and run <span style="color: #00ff00;">vcredist_x86.exe</span> and <span style="color: #00ff00;">vcredist_x64.exe</span>.</li><li>Download the two exes (x86 and x64) from <a href="http://pykd.codeplex.com/">here</a> and execute them.</li><li>Download <span style="color: #00ff00;">windbglib.py</span> and <span style="color: #00ff00;">mona.py</span> from <a href="https://github.com/corelan">here</a> and put them in the same directories as windbg.exe (32-bit and 64-bit versions).</li><li>Configure the <span style="color: #00ffff;">symbol search path</span> as follows:<ol><li>click on <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Symbol File Path</span></li><li>enter<pre class="ignore:true ">SRV*C:\windbgsymbols*http://msdl.microsoft.com/download/symbols</pre></li><li>save the workspace (<span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Save Workspace</span>).</li></ol></li></ol><h2>Running mona.py under WinDbg</h2><p>Running mona.py in WinDbg is simple:</p><ol><li>Load the <span style="color: #00ffff;">pykd extension</span> with the command<pre class="ignore:true">.load pykd.pyd</pre></li><li>To run mona use<pre class="ignore:true">!py mona</pre></li></ol><p>To update mona enter</p><pre class="ignore:true">!py mona update</pre><h2>Configuration</h2><h3>Working directory</h3><p>Many functions of mona dump data to files created in the mona’s <span style="color: #00ffff;">working directory</span>. We can specify a working directory which depends on the <span style="color: #00ffff;">process name</span> and <span style="color: #00ffff;">id</span> by using the format specifiers <span style="color: #00ff00;">%p</span> (process name) and <span style="color: #00ff00;">%i</span> (process id). For instance, type</p><pre class="ignore:true ">!py mona config -set workingfolder "C:\mona_files\%p_%i"</pre><h3>Exclude modules</h3><p>You can exclude specific modules from search operations:</p><pre class="ignore:true">!mona config -set excluded_modules "module1.dll,module2.dll"
!mona config -add excluded_modules "module3.dll,module4.dll"</pre><h3>Author</h3><p>You can also set the author:</p><pre class="ignore:true">!mona config -set author Kiuhnm</pre><p>This information will be used when producing <span style="color: #00ccff;">metasploit</span> compatible output.</p><h2>Important</h2><p>If there’s something wrong with WinDbg and mona, try running WinDbg as an administrator.</p><h2>Mona’s Manual</h2><p>You can find more information about Mona <a href="https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/">here</a>.</p><h2>Example</h2><p>This example is taken from Mona’s Manual.</p><p>Let’s say that we control the value of <span style="color: #00ccff;">ECX</span> in the following code:</p>
<pre><code class="language-x86asm">MOV EAX, [ECX]
CALL [EAX+58h]</code></pre>
<p>We want to use that piece of code to jmp to our <span style="color: #00ccff;">shellcode</span> (i.e. the code we injected into the process) whose address is at <span style="color: #00ccff;">ESP</span>+4, so we need the call above to call something like “<span style="color: #00ff00;">ADD ESP, 4 | RET</span>“.<br> There is a lot of indirection in the piece of code above:</p><ol><li>(<span style="color: #00ffff;">ECX</span> = <span style="color: #00ff00;">p1</span>) → <span style="color: #00ff00;">p2</span></li><li><span style="color: #00ff00;">p2</span>+58h → <span style="color: #00ff00;">p3</span> → “ADD ESP,4 | RET”</li></ol><p>First we need to find <span style="color: #00ff00;">p3</span>:</p><pre class="ignore:true">!py mona config -set workingfolder c:\logs
!py mona stackpivot -distance 4,4</pre><p>The function <span style="color: #00ccff;">stackpivot</span> finds pointers to code equivalent to “<span style="color: #00ff00;">ADD ESP, X | RET</span>” where <span style="color: #00ff00;">X</span> is between <span style="color: #00ff00;">min</span> and <span style="color: #00ff00;">max</span>, which are specified through the option “<span style="color: #00ff00;">-distance min,max</span>“.<br> The pointers/addresses found are written to <span style="color: #00ff00;">c:\logs\stackpivot.txt</span>.<br> Now that we have our <span style="color: #00ff00;">p3</span> (many <span style="color: #00ff00;">p3</span>s!) we need to find <span style="color: #00ff00;">p1</span>:</p><pre class="ignore:true">!py mona find -type file -s "c:\logs\stackpivot.txt" -x * -offset 58 -level 2 -offsetlevel 2</pre><p>Let’s see what all those options mean:</p><ul><li>“<span style="color: #00ff00;">-x *</span>” means “accept addresses in <span style="color: #00ccff;">pages</span> with any <span style="color: #00ccff;">access level</span>” (as another example, with “<span style="color: #00ff00;">-x X</span>” we want only addresses in <span style="color: #00ccff;">executable pages</span>).</li><li>“<span style="color: #00ff00;">-level 2</span>” specifies the <span style="color: #00ccff;">level of indirection</span>, that is, it tells mona to find “a pointer (<span style="color: #00ff00;">p1</span>) to a pointer (<span style="color: #00ff00;">p2</span>) to a pointer (<span style="color: #00ff00;">p3</span>)”.</li><li>The first two options (<span style="color: #00ff00;">-type</span> and <span style="color: #00ff00;">-s</span>) specifies that <span style="color: #00ff00;">p3</span> must be a pointer listed in the file “<span style="color: #00ff00;">c:\logs\stackpivot.txt</span>“.</li><li>“<span style="color: #00ff00;">-offsetlevel 2</span>” and “<span style="color: #00ff00;">-offset 58</span>” tell mona that the second pointer (<span style="color: #00ff00;">p2</span>) must point to the third pointer (<span style="color: #00ff00;">p3</span>) once incremented by 58h.</li></ul><p>Don’t worry too much if this example isn’t perfectly clear to you. This is just an example to show you what Mona can do. I admit that the syntax of this command is not very intuitive, though.</p><h2>Example</h2><p>The command <span style="color: #00ccff;">findwild</span> allows you to find <span style="color: #00ccff;">chains</span> of instructions with a particular form.</p><p>Consider this example:</p><pre class="ignore:true">!mona findwild -s "push r32 # * # pop eax # inc eax # * # retn"</pre><p>The option “<span style="color: #00ff00;">-s</span>” specifies the <span style="color: #00ccff;">shape</span> of the chain:</p><ul><li>instructions are separated with ‘<span style="color: #00ff00;">#</span>‘</li><li><span style="color: #00ff00;">r32</span> is any 32-bit register</li><li><span style="color: #00ff00;">*</span> is any sequence of instructions</li></ul><p>The optional arguments supported are:</p><ul><li><span style="color: #00ff00;">-depth <nr></span>: maximum length of the chain</li><li><span style="color: #00ff00;">-b <address></span>: base address for the search</li><li><span style="color: #00ff00;">-t <address></span>: top address for the search</li><li><span style="color: #00ff00;">-all</span>: returns also chains which contain “bad” instructions, i.e. instructions that might break the chain (jumps, calls, etc…)</li></ul><h2></h2><h2>ROP Chains</h2><p>Mona can find <span style="color: #00ffff;">ROP gadgets</span> and build <span style="color: #00ffff;">ROP chains</span>, but I won’t talk about this here because you’re not supposed to know what a ROP chain is or what <span style="color: #00ffff;">ROP</span> is. As I said, don’t worry if this article doesn’t make perfect sense to you. Go on to the next article and take it easy!</p> </div></div>
</body>
</html>