Comments (20)
corelanc0d3r
commented on August 17, 2024
Hi, I have a few questions:
- are you running windbg with administrator permissions ?
- are you running the very latest versions of mona and windbglib ? (run
!py mona upto upgrade) - can you confirm that you ran
!py mona config -set workingfolder "C:\logs\%p"(adding a backslash between "logs" and "%p") - every time when you run mona rop, it will create a "_rop_progress_xxxxx.log" file in your workingfolder. Any way you can share that file with me ?
- can you try running
!py mona rop -m kernel32and see if that works ?
thanks
from mona.
returnworld
commented on August 17, 2024
I have the same problem
its my log file
================================================================================
Output generated by mona.py v2.0, rev 570 - WinDBG
Corelan Team - https://www.corelan.be
================================================================================
OS : win7, release 6.1.7601
Process being debugged : ConsoleApp (pid 4936)
Current mona arguments: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py rop -m kernel32
================================================================================
2017-04-21 18:37:43
================================================================================
----------------------------------------------------------------------------------------------------------------------------------
Module info :
----------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
0x6c9b0000 | 0x6c9b3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-synch-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll)
0x6df80000 | 0x6df83000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-file-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll)
0x6f950000 | 0x6f953000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-timezone-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll)
0x6c880000 | 0x6c883000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-heap-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll)
0x6de30000 | 0x6df11000 | 0x000e1000 | False | True | True | True | True | 10.0.10586.788 [ucrtbase.DLL] (C:\Windows\SysWOW64\ucrtbase.DLL)
0x01350000 | 0x01357000 | 0x00007000 | False | True | True | True | False | -1.0- [ConsoleApp.exe] (ConsoleApp.exe)
0x6e100000 | 0x6e103000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-localization-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll)
0x6c870000 | 0x6c874000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-convert-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll)
0x6fc10000 | 0x6fc14000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-string-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll)
0x6df50000 | 0x6df54000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-runtime-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll)
0x758c0000 | 0x759d0000 | 0x00110000 | False | True | True | True | True | 6.1.7601.23714 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
0x6c4c0000 | 0x6c4c5000 | 0x00005000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-math-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll)
0x6f4e0000 | 0x6f4e3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-file-l2-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll)
0x6ab00000 | 0x6ab15000 | 0x00015000 | False | True | True | True | True | 14.0.24215.1 [VCRUNTIME140.dll] (C:\Windows\SysWOW64\VCRUNTIME140.dll)
0x77010000 | 0x77190000 | 0x00180000 | False | True | True | True | True | 6.1.7601.23714 [ntdll.dll] (ntdll.dll)
0x6df30000 | 0x6df34000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-stdio-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll)
0x6aae0000 | 0x6aae3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-locale-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll)
0x75b00000 | 0x75b47000 | 0x00047000 | False | True | True | True | True | 6.1.7601.23714 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
0x6df70000 | 0x6df73000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-processthreads-l1-1-1.dll] (C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll)
----------------------------------------------------------------------------------------------------------------------------------
- Progress update : 500 / 4022 items processed (Fri 2017/04/21 06:38:11 PM) - (12%)
- Progress update : 1000 / 4022 items processed (Fri 2017/04/21 06:38:30 PM) - (24%)
- Progress update : 1500 / 4022 items processed (Fri 2017/04/21 06:38:48 PM) - (37%)
- Progress update : 2000 / 4022 items processed (Fri 2017/04/21 06:39:06 PM) - (49%)
- Progress update : 2500 / 4022 items processed (Fri 2017/04/21 06:39:29 PM) - (62%)
- Progress update : 3000 / 4022 items processed (Fri 2017/04/21 06:39:54 PM) - (74%)
- Progress update : 3500 / 4022 items processed (Fri 2017/04/21 06:40:17 PM) - (87%)
- Progress update : 4000 / 4022 items processed (Fri 2017/04/21 06:40:41 PM) - (99%)
- Progress update : 4022 / 4022 items processed (Fri 2017/04/21 06:40:43 PM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
Attempting to create rop chain proposals
- Attempting to produce rop chain for VirtualProtect
* Enumerating ROPFunc info
i use python 2.7.13 and windbg:10.0.14321.1024 x86 with administrator permissions
and pykd module PYKD_BOOTSTRAPPER_2.0.0.11
from mona.
corelanc0d3r
commented on August 17, 2024
Haven't tried wtih WInDBG 10 yet... just confirmed on Win7, windbg 8.0, that the process completes fine (using iexplore as the application)
I'll see if I can install WinDBG 10 and try it out...
from mona.
returnworld
commented on August 17, 2024
I tried different versions of windbg for windows 7, 8.0, 8.1 on my PC and my noteboke,
mona works great for example
!py mona jmp -r esp -m kernel32
But if i use
!py mona rop -m kernel32
Windbg freezes. I can not understand why. I do not have enough knowledge for self-debugging.
So I got the same result in a virtual machine Oracle VM VirtualBox.
I always used windows 7 professional x64, (python 2.7.13 and python 3.6.1)x86 , install pykd from pip and load BOOTSTRAPPER module x86.
Please tell me what I'm doing wrong and how long this stage lasts
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi
Now I'm going to install another version of windows (8 or 10) on a virtual machine
and try using mona rop on another modules
from mona.
corelanc0d3r
commented on August 17, 2024
Would it be possible to try the same thing using immunity ? (basically, attach to the same process, and run the same command)
also, not sure if it matters, but have you tried installing windbglib/pykd using the exact procedure as explained at https://github.com/corelan/windbglib (instead of using pip) ?
from mona.
returnworld
commented on August 17, 2024
I tried immunity debugger mona built a rop chains in a few seconds).
Faced such a problem:
Unable to create working folder "C:\logs_mona_immunity\iexplore", the debugger program folder will be used instead
Although I run the debugger as an administrator, now trying to solve it.
from mona.
returnworld
commented on August 17, 2024
https://github.com/corelan/windbglib/blob/master/pykd/pykd.zip
I started using this module to load pykd.pyd I think the problem was locking the file. I tried to unlock them directly in the Windbg directory but I did not take into account that the folder attributes are set to read only
Now everything works but Windbg is very slow
Then what is the immunity of the debugger doing in 20 seconds Windbg does in 6 minutes so it should be? Or I again not correctly configured?
Error when using the rop to the ntdll module in the immunity debugger
0BADF00D [+] Command used:
0BADF00D !mona rop -m ntdll
---------- Mona command started on 2017-05-04 22:23:51 (v2.0, rev 570) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Only querying modules ntdll
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Preparing output file '_rop_progress_iexplore.exe_5512.log'
0BADF00D - Creating working folder "C:\logs_mona_immunity\iexplore"
0BADF00D ** Unable to create working folder "C:\logs_mona_immunity\iexplore", the debugger program folder will be used instead
0BADF00D - (Re)setting logfile _rop_progress_iexplore.exe_5512.log
0BADF00D [+] Progress will be written to _rop_progress_iexplore.exe_5512.log
0BADF00D [+] Maximum offset : 40
0BADF00D [+] (Minimum/optional maximum) stackpivot distance : 8
0BADF00D [+] Max nr of instructions : 6
0BADF00D [+] Split output into module rop files ? False
0BADF00D [+] Enumerating 22 endings in 1 module(s)...
0BADF00D - Querying module ntdll.dll
0BADF00D - Search complete :
0BADF00D Ending : RETN 0x02, Nr found : 6
0BADF00D Ending : RETN 0x0C, Nr found : 554
0BADF00D Ending : RETN 0x1C, Nr found : 52
0BADF00D Ending : RETN 0x0A, Nr found : 1
0BADF00D Ending : RETN, Nr found : 2973
0BADF00D Ending : RETN 0x20, Nr found : 38
0BADF00D Ending : RETN 0x18, Nr found : 131
0BADF00D Ending : RETN 0x08, Nr found : 648
0BADF00D Ending : RETN 0x24, Nr found : 25
0BADF00D Ending : RETN 0x28, Nr found : 19
0BADF00D Ending : RETN 0x10, Nr found : 354
0BADF00D Ending : RETN 0x00, Nr found : 45
0BADF00D Ending : RETN 0x14, Nr found : 233
0BADF00D Ending : RETN 0x04, Nr found : 664
0BADF00D - Filtering and mutating 5743 gadgets
0BADF00D - Progress update : 1000 / 5743 items processed (Thu 2017/05/04 10:23:56 PM) - (17%)
0BADF00D - Progress update : 2000 / 5743 items processed (Thu 2017/05/04 10:24:01 PM) - (34%)
0BADF00D - Progress update : 3000 / 5743 items processed (Thu 2017/05/04 10:24:05 PM) - (52%)
0BADF00D - Progress update : 4000 / 5743 items processed (Thu 2017/05/04 10:24:09 PM) - (69%)
0BADF00D - Progress update : 5000 / 5743 items processed (Thu 2017/05/04 10:24:13 PM) - (87%)
0BADF00D ********************************************************************************
Traceback (most recent call last):
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 18207, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 11365, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 6171, in findROPGADGETS
thisopcode = dbg.disasmBackward(endingtypeptr,depth+1)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\immlib.py", line 669, in disasmBackward
op._getfromtuple( debugger.disasm( backward_address, mode ) )
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libanalyze.py", line 114, in _getfromtuple
self.ip=opcode[0] # Instruction pointer
TypeError: 'int' object has no attribute '__getitem__'
0BADF00D ********************************************************************************
in windbg while everything works)
from mona.
sessionpool
commented on August 17, 2024
Aaah i was hit by the same issue and found this thread.
With immunity as mentioned above it works fine and generates rop chain very quickly.
But with windbg it is painfully slow and if you let it run for long enough (half and hour or more) it can generate ropchain.
I tired to trace it with procmon and found that in case of windbg tries to open mona.ini file huge number of times between fetching .pdb for dlls, 1 after other.
Most of the delay was because of the events due to reading mona.ini file.
I could try this only on windows 10 x86. Will have to setup and see procmon logs on lower platform to see diff, if that helps in someway.
Here is a snapshot of the same.
from mona.
corelanc0d3r
commented on August 17, 2024
thanks for diving into the issue. It is true that mona.py is much slower on windbg, because windbg does not expose an API that allows me to asm/disam in a "efficient" manner. I basically have to use some dirty code in windbglib to simulate what immunity offers. (any tips on improving this, without using external libraries, is more than welcome).
Anway, I've added some code in mona.py to avoid reading from mona.ini that often, for sure there is room for improvement there... although I'm not able to see so many interactions with mona.in in the first place on my box. Did you run !py mona rop without specifying a module? (basically, just let it run against all modules) ?
from mona.
corelanc0d3r
commented on August 17, 2024
I pushed a new version of mona. Can you run !py mona up and try again with the latest version?
from mona.
sessionpool
commented on August 17, 2024
Thnx for the quick patch corelanc0d3r , but looks like the problem still persists here.
I have taken the latest patch and started ropchain generation , but it's still stuck at...
- Filtering and mutating 4712 gadgets
- Progress update : 500 / 4712 items processed (Sat 2017/05/27 01:49:35 PM) - (10%)
- Progress update : 1000 / 4712 items processed (Sat 2017/05/27 01:49:42 PM) - (21%)
- Progress update : 1500 / 4712 items processed (Sat 2017/05/27 01:49:49 PM) - (31%)
- Progress update : 2000 / 4712 items processed (Sat 2017/05/27 01:49:54 PM) - (42%)
- Progress update : 2500 / 4712 items processed (Sat 2017/05/27 01:49:59 PM) - (53%)
- Progress update : 3000 / 4712 items processed (Sat 2017/05/27 01:50:05 PM) - (63%)
- Progress update : 3500 / 4712 items processed (Sat 2017/05/27 01:50:09 PM) - (74%)
- Progress update : 4000 / 4712 items processed (Sat 2017/05/27 01:50:12 PM) - (84%)
- Progress update : 4500 / 4712 items processed (Sat 2017/05/27 01:50:15 PM) - (95%)
- Progress update : 4712 / 4712 items processed (Sat 2017/05/27 01:50:17 PM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi <--- stuck here for the last 10-15 min.
Though i noticed this time that the step below took slightly less time, i may be wrong here though.
- Progress update : 4712 / 4712 items processed (Sat 2017/05/27 01:50:17 PM) - (100%)
Pls let me know if you need something else.
from mona.
sessionpool
commented on August 17, 2024
And yes i am running it against all the modules
!py mona rop
from mona.
corelanc0d3r
commented on August 17, 2024
does procmon still show a large amount of attempted reads from mona.ini ?
with regards to Step 1/7:
what process did you attach to ?
what is the exact mona command that you ran ?
OS: Windows 10?
Windbg 8 or 10 ?
I'll set up a box to try to reproduce the issue
thanks
from mona.
sessionpool
commented on August 17, 2024
Yes Procmon was still showing a large number of reads from mona.ini as earlier.
I used the application from this exploit.
https://www.exploit-db.com/exploits/40760/
My box is Windows 10, x86 build 1703
Commands i ran after attaching to the process from windbg.
.load pykd.pyd
!py mona rop
I will also try to dig in today sometimes and share if anything else that i can find from my side.
Thanks again.
from mona.
corelanc0d3r
commented on August 17, 2024
I was able to reproduce the issue, this is what I have found:
- mona.py uses windbglib.py, which relies on pykd.pyd, which relies on symbols to be set up correctly
- the first time you try to use symbols in windbg, the symbol file needs to be downloaded properly. this will take some time (but only the first run. when the file is downloaded, the local version will be used until a new version of the dll is made available)
- If the symbols for certain files are not found, windbg will still attempt to download them the next time. In other words, if the symbols for easyproxy.exe are not available on the MS symbol server, then windbg will still query the symbol server. This causes a delay
Immunity doesn't use symbols, and frankly mona.py itself doesn't really need symbols (but pykd does). That's another reason why the process is faster on immunity.
So, taking those things into consideration, you can speed up the process by
- making sure that the symbols for common MS files (OS dlls) are already downloaded
- consider disabling internet connectivity (but leave the symbol path set) while running !py mona rop, so any search for symbols for non-MS files will 'fail' faster
Additionally, I have made some changes to mona.py to help speed up the process as well. I'm testing the changes internally first, will push an updated version soon
from mona.
corelanc0d3r
commented on August 17, 2024
ok, made a couple of changes, can you please test ?
thanks
from mona.
sessionpool
commented on August 17, 2024
Great, looks like latest change seems to have made it a lot faster.
It took total 5 minutes to generate the whole chain for all the functions.
[+] Searching from 0x77d4d001 to 0x7fffffff
Sun 2017/05/28 11:31:43 AM: Step 2/7: ebp
Sun 2017/05/28 11:31:43 AM: Step 3/7: ebx
Sun 2017/05/28 11:31:43 AM: Step 4/7: edx
Sun 2017/05/28 11:31:43 AM: Step 5/7: ecx
Sun 2017/05/28 11:31:43 AM: Step 6/7: edi
Sun 2017/05/28 11:31:43 AM: Step 7/7: eax
[+] Preparing output file 'easyproxy.exe_virtualprotect.xml'
Got this ropchain for VirtualProtect quite fast this time....in about 2 min. after firing the command
ROP generator finished
[+] Writing stackpivots to file C:\logs\easyproxy\stackpivot.txt
Wrote 4547 pivots to file
[+] Writing suggestions to file C:\logs\easyproxy\rop_suggestions.txt
Wrote 1096 suggestions to file
[+] Writing results to file C:\logs\easyproxy\rop.txt (9082 interesting gadgets)
Wrote 9082 interesting gadgets to file
[+] Writing other gadgets to file C:\logs\easyproxy\rop.txt (13789 gadgets)
Wrote 13789 other gadgets to file
Done
[+] This mona.py action took 0:04:12.298000
from mona.
sessionpool
commented on August 17, 2024
Just another thing to mention, i have most of the symbols cached to my C;\My\Sym directory.
That might have also speeded up the process but overall this was pretty fast this time, thanks a lot 👍
from mona.
corelanc0d3r
commented on August 17, 2024
cool, for something that used to take hours (manually), I think 4 minutes seems reasonable :)
I'll close the issue, feel free to reopen if the issue is not solved anyway
from mona.
sessionpool
commented on August 17, 2024
Sure and thanks again , really appreciate 👍
from mona.
Related Issues (20)
- pycommands: error importing module ( HOT 23
- Failed to Import Module HOT 2
- crach at command "mona rop -m ntdll" HOT 4
- Incorrect last conditional jump into egghunter with checksum verification HOT 4
- !mona modules got nothing in Immunity Debugger HOT 3
- dll load failed 1 is not a valid win32 application HOT 5
- Feature Enhancement(formatted memory comparison) with Working PoC HOT 4
- Invalid opcode when searching for possible gadgets HOT 5
- Inventory notification HOT 1
- Error while creating a ROP gadget HOT 4
- mona.py hangs at step 1 of 7 during ROP gadget generation; error trying to process kernel32 and kernelbase.dll HOT 2
- Migrate to Python3 HOT 2
- Project documentation HOT 1
- Add Python2.7 shebang HOT 2
- Mona failed to produce ropchain, got exception errors regarding IAT HOT 30
- 'compare' does not search file in workingfolder HOT 3
- pycommands: error importing module HOT 2
- jmp esp error Windows XP HOT 10
- mona rop Error HOT 6
- Using Mona in other python scripit but still have Immunity Debguer Runing in the background
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mona.