首页
社区
课程
招聘
[求助]求助,64位的win7 64位的windbg ,mona插件部分功能异常
发表于: 2016-10-5 23:59 5324

[求助]求助,64位的win7 64位的windbg ,mona插件部分功能异常

2016-10-5 23:59
5324
!py mona jmp -r esp -m kernel32.dll
这个命令不能正确执行,
!py mona modules
这个命令可以执行

mona 支持64位的windbg吗?求解

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
雪    币: 112
活跃值: (86)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
报错代码如下

0:000:x86> !py mona jmp -r  esp  -m kernel32.dll
Hold on...
[+] Command used:
!py mona.py jmp -r esp -m kernel32.dll

---------- Mona command started on 2016-10-06 11:53:55 (v2.0, rev 566) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
    - Only querying modules kernel32.dll
[+] Generating module info table, hang on...
    - Processing modules
********************************************************************************
Traceback (most recent call last):
  File "mona.py", line 18182, in main
    commands[command].parseProc(opts)
  File "mona.py", line 11187, in procFindJMP
    all_opcodes=findJMP(modulecriteria,criteria,args["r"].lower().strip())
  File "mona.py", line 5821, in findJMP
    modulestosearch = getModulesToQuery(modulecriteria)
  File "mona.py", line 5441, in getModulesToQuery
    populateModuleInfo()
  File "mona.py", line 5552, in populateModuleInfo
    allmodules=dbg.getAllModules()
  File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 1115, in getAllModules
    getModulesFromPEB()
  File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 348, in getModulesFromPEB
    thismod = loadUnicodeString(mod.BaseDllName).encode("utf8")
MemoryException: Memory exception at 0x0 target virtual address

********************************************************************************
2016-10-6 11:56
0
雪    币: 112
活跃值: (86)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
3
但是 !py mona
又是正常的

0:000:x86> !py mona
Hold on...
[+] Command used:
!py mona.py
     'mona' - Exploit Development Swiss Army Knife - WinDBG (64bit)
     Plugin version : 2.0 r566
     PyKD version 0.2.0.29
     Written by Corelan - https://www.corelan.be
     Project page : https://github.com/corelan/mona
    |------------------------------------------------------------------|
    |        _ __ ___    ___   _ __    __ _     _ __   _   _           |
    |       | '_ ` _ \  / _ \ | '_ \  / _` |   | '_ \ | | | |          |
    |       | | | | | || (_) || | | || (_| | _ | |_) || |_| |          |
    |       |_| |_| |_| \___/ |_| |_| \__,_|(_)| .__/  \__, |          |
    |                                          |_|     |___/           |
    |                                                                  |
    |------------------------------------------------------------------|

Global options :
----------------
You can use one or more of the following global options on any command that will perform
a search in one or more modules, returning a list of pointers :
-n                     : Skip modules that start with a null byte. If this is too broad, use
                          option -cp nonull instead
-o                     : Ignore OS modules
-p <nr>                : Stop search after <nr> pointers.
-m <module,module,...> : only query the given modules. Be sure what you are doing !
                          You can specify multiple modules (comma separated)
                          Tip : you can use -m *  to include all modules. All other module criteria will be ignored
                          Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,
                          blah or *blah* = contains blah
-cm <crit,crit,...>    : Apply some additional criteria to the modules to query.
                          You can use one or more of the following criteria :
                          aslr,safeseh,rebase,nx,os
                          You can enable or disable a certain criterium by setting it to true or false
                          Example :  -cm aslr=true,safeseh=false
                          Suppose you want to search for p/p/r in aslr enabled modules, you could call
                          !mona seh -cm aslr
-cp <crit,crit,...>    : Apply some criteria to the pointers to return
                          Available options are :
                          unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
                          Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit
-cpb '\x00\x01'        : Provide list with bad chars, applies to pointers
                          You can use .. to indicate a range of bytes (in between 2 bad chars)
-x <access>            : Specify desired access level of the returning pointers. If not specified,
                          only executable pointers will be returned.
                          Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *

Usage :
-------

!mona <command> <parameter>

Available commands and parameters :

? / eval             | Evaluate an expression
allocmem / alloc     | Allocate some memory in the process
assemble / asm       | Convert instructions to opcode. Separate multiple instructions with #
bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers
breakfunc / bf       | Set a breakpoint on an exported function in on or more dll's
breakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address
bytearray / ba       | Creates a byte array, can be used to find bad characters
changeacl / ca       | Change the ACL of a given page
compare / cmp        | Compare contents of a binary file with a copy in memory
config / conf        | Manage configuration file (mona.ini)
copy / cp            | Copy bytes from one location to another
dump                 | Dump the specified range of memory to a file
dumplog / dl         | Dump objects present in alloc/free log file
dumpobj / do         | Dump the contents of an object
egghunter / egg      | Create egghunter code
encode / enc         | Encode a series of bytes
filecompare / fc     | Compares 2 or more files created by mona using the same output commands
fillchunk / fchunk   | Fill a heap chunk referenced by a register
find / f             | Find bytes in memory
findmsp / findmsf    | Find cyclic pattern in memory
findwild / fw        | Find instructions in memory, accepts wildcards
flow / flw           | Simulate execution flows, including all branch combinations
fwptr / fwp          | Find Writeable Pointers that get called
geteat / eat         | Show EAT of selected module(s)
getiat / iat         | Show IAT of selected module(s)
getpc                | Show getpc routines for specific registers
gflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag
header               | Read a binary file and convert content to a nice 'header' string
heap                 | Show heap related information
help                 | show help
hidedebug / hd       | Attempt to hide the debugger
info                 | Show information about a given address in the context of the loaded application
infodump / if        | Dumps specific parts of memory to file
jmp / j              | Find pointers that will allow you to jump to a register
jop                  | Finds gadgets that can be used in a JOP exploit
kb / kb              | Manage Knowledgebase data
modules / mod        | Show all loaded modules and their properties
noaslr               | Show modules that are not aslr or rebased
nosafeseh            | Show modules that are not safeseh protected
nosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased
offset               | Calculate the number of bytes between two addresses
pageacl / pacl       | Show ACL associated with mapped pages
pattern_create / pc  | Create a cyclic pattern of a given size
pattern_offset / po  | Find location of 4 bytes in a cyclic pattern
peb / peb            | Show location of the PEB
rop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them
ropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain
seh                  | Find pointers to assist with SEH overwrite exploits
sehchain / exchain   | Show the current SEH chain
skeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit
stackpivot           | Finds stackpivots (move stackpointer to controlled area)
stacks               | Show all stacks for all threads in the running application
string / str         | Read or write a string from/to memory
suggest              | Suggest an exploit buffer structure
teb / teb            | Show TEB related information
tobp / 2bp           | Generate WinDBG syntax to create a logging breakpoint at given location
unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
update / up          | Update mona to the latest version
2016-10-6 11:59
0
雪    币: 292
活跃值: (850)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
4
mona中调用dll基址应该都是调用的32位,在64位调用32位地址失败了,所以地址是0x0,就报错了,可能是这样的。
2016-10-8 08:12
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
解决了吗,我遇到同样的问题。
2017-6-11 12:54
0
雪    币: 2
活跃值: (56)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
fanslinux 解决了吗,我遇到同样的问题。
现在支持64位了
2018-2-28 16:23
0
游客
登录 | 注册 方可回帖
返回
//