资讯专栏INFORMATION COLUMN

如何在Windbg中安装mona

caoym / 1519人阅读

摘要:文章目录问题描述解决步骤安装和检查环境并确保安装了把放入同级文件夹下放到安装目录下的文件夹下开启,切换到下,执行注册命令系统会弹窗显示成功。

01 问题描述

  • 在Windows的Windbg中安装Mona
  • 环境要求
    • 检查是否安装了Windbg
    • 检查是否安装Python2.x
    • 1.Mona.py—放入Windbg.exe文件夹下
    • 2.pykd.pyd—WinDbg的Python插件
    • 3.windbglib.py—放入Windbg.exe文件夹下
  • 资源链接
    [1] WinDbglib+pykd
    [2] Mona
    [3] pykd

02 解决步骤

2.1 安装和检查Python2.x环境并确保安装了Windbg

  • 没装的安装好相关版本的python
    • Win+R 输入cmd,输入python,查看是否已经安装了Python2.x.x,如未安装需要先安装Python2.x环境
  • 在15pb虚拟机的下载文件夹中有python-2.7.9

2.2 把Mona.py,windbglib.py放入Windbg.exe同级文件夹下,pykd.pyd放到windbg安装目录下的winext文件夹下

2.3 开启cmd,切换到 C:/Program Files/Common Files/Microsoft Shared/VC下, 执行注册命令 regsvr32 msdia90.dll 系统会弹窗显示成功。

  • 除了进行以上的注册,对vcredict也进行注册一下,具体为什么注册还不清楚

2.4 打开windbg,加载符号测试是否成功

  • 要保持虚拟机能连上网络,我在断网的时候操作不成功
  • 加载符号:srv*c:/symbols*http://msdl.microsoft.com/download/symbols
    • 或者你不加载的时候它报错是也有这个链接,直接复制那个链接使用即可,如下所示,符号未加载
0:003> .load pykd.pyd0:003> !py mona** Warning, no symbol path set ! **    I"ll set the symbol path to srv*c:/symbols*http://msdl.microsoft.com/download/symbols************* Symbol Path validation summary **************Response                         Time (ms)     LocationDeferred                                       srv*c:/symbols*http://msdl.microsoft.com/download/symbols   Symbol path set, now reloading symbols...   All set. Please restart WinDBG.Hold on...[+] Command used:!py mona.py     "mona" - Exploit Development Swiss Army Knife - WinDBG (32bit)     Plugin version : 2.0 r616     Python version : 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)]     PyKD version 0.2.0.29     Written by Corelan - https://www.corelan.be     Project page : https://github.com/corelan/mona    |------------------------------------------------------------------|    |                                                                  |    |    _____ ___  ____  ____  ____ _                                 |    |    / __ `__ // __ // __ // __ `/  https://www.corelan.be         |    |   / / / / / / /_/ / / / / /_/ /  https://www.corelan-training.com|    |  /_/ /_/ /_//____/_/ /_//__,_/  #corelan (Freenode IRC)          |    |                                                                  |    |------------------------------------------------------------------|Global options :----------------You can use one or more of the following global options on any command that will performa search in one or more modules, returning a list of pointers : -n                     : Skip modules that start with a null byte. If this is too broad, use                          option -cp nonull instead -o                     : Ignore OS modules -p <nr>                : Stop search after <nr> pointers. -m <module,module,...> : only query the given modules. Be sure what you are doing !                          You can specify multiple modules (comma separated)                          Tip : you can use -m *  to include all modules. All other module criteria will be ignored                          Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah,                          blah or *blah* = contains blah -cm <crit,crit,...>    : Apply some additional criteria to the modules to query.                          You can use one or more of the following criteria :                          aslr,safeseh,rebase,nx,os                          You can enable or disable a certain criterium by setting it to true or false                          Example :  -cm aslr=true,safeseh=false                          Suppose you want to search for p/p/r in aslr enabled modules, you could call                          !mona seh -cm aslr -cp <crit,crit,...>    : Apply some criteria to the pointers to return                          Available options are :                          unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev                          Note : Multiple criteria will be evaluated using "AND", except if you are looking for unicode + one crit -cpb "/x00/x01"        : Provide list with bad chars, applies to pointers                          You can use .. to indicate a range of bytes (in between 2 bad chars) -x <access>            : Specify desired access level of the returning pointers. If not specified,                          only executable pointers will be returned.                          Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *Usage :------- !mona <command> <parameter>Available commands and parameters :? / eval             | Evaluate an expressionallocmem / alloc     | Allocate some memory in the processassemble / asm       | Convert instructions to opcode. Separate multiple instructions with #bpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointersbreakfunc / bf       | Set a breakpoint on an exported function in on or more dll"sbreakpoint / bp      | Set a memory breakpoint on read/write or execute of a given addressbytearray / ba       | Creates a byte array, can be used to find bad characterschangeacl / ca       | Change the ACL of a given pagecompare / cmp        | Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memoryconfig / conf        | Manage configuration file (mona.ini)copy / cp            | Copy bytes from one location to anotherdump                 | Dump the specified range of memory to a filedumplog / dl         | Dump objects present in alloc/free log filedumpobj / do         | Dump the contents of an objectegghunter / egg      | Create egghunter codeencode / enc         | Encode a series of bytesfilecompare / fc     | Compares 2 or more files created by mona using the same output commandsfillchunk / fchunk   | Fill a heap chunk referenced by a registerfind / f             | Find bytes in memoryfindmsp / findmsf    | Find cyclic pattern in memoryfindwild / fw        | Find instructions in memory, accepts wildcardsflow / flw           | Simulate execution flows, including all branch combinationsfwptr / fwp          | Find Writeable Pointers that get calledgeteat / eat         | Show EAT of selected module(s)getiat / iat         | Show IAT of selected module(s)getpc                | Show getpc routines for specific registersgflags / gf          | Show current GFlags settings from PEB.NtGlobalFlagheader               | Read a binary file and convert content to a nice "header" stringheap                 | Show heap related informationhelp                 | show helphidedebug / hd       | Attempt to hide the debuggerinfo                 | Show information about a given address in the context of the loaded applicationinfodump / if        | Dumps specific parts of memory to filejmp / j              | Find pointers that will allow you to jump to a registerjop                  | Finds gadgets that can be used in a JOP exploitjseh                 | Finds gadgets that can be used to bypass SafeSEHkb / kb              | Manage Knowledgebase datamodules / mod        | Show all loaded modules and their propertiesnoaslr               | Show modules that are not aslr or rebasednosafeseh            | Show modules that are not safeseh protectednosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebasedoffset               | Calculate the number of bytes between two addressespageacl / pacl       | Show ACL associated with mapped pagespattern_create / pc  | Create a cyclic pattern of a given sizepattern_offset / po  | Find location of 4 bytes in a cyclic patternpeb / peb            | Show location of the PEBrop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with themropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chainseh                  | Find pointers to assist with SEH overwrite exploitssehchain / exchain   | Show the current SEH chainskeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploitstackpivot           | Finds stackpivots (move stackpointer to controlled area)stacks               | Show all stacks for all threads in the running applicationstring / str         | Read or write a string from/to memorysuggest              | Suggest an exploit buffer structureteb / teb            | Show TEB related informationtobp / 2bp           | Generate WinDBG syntax to create a logging breakpoint at given locationunicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflowupdate / up          | Update mona to the latest versionWant more info about a given command ?  Run !mona help

2.5 输入mona命令检测是否安装mona成功

1.常见mona命令如下

  • 输入以下命令运行mona
.load pykd.pyd!py mona

  • 其他的mona命令
//设置工作目录!py mona config -set workingfolder "D:/mona/"//生成3000个字节的顺序字符串,测试溢出点!py mona pc 3000//获取溢出点偏移!py mona po 0x12345678//查找 jmp esp 指令!py mona jmp -r esp//在kernel32.dll模块中查找 jmp esp指令!py mona jmp -r -esp -m "kernel32.dll"

  • 其他mona命令用法自行查阅资料

03 总结

04 参考资料与资源链接

4.1 参考资料

[1] BugMeOut. 为windbg安装mona.py

[2] windbg安装mona.py插件

[3] 官方的安装说明

4.2 资源链接

[1] WinDbglib+pykd

[2] Mona

[3] pykd

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/123875.html

相关文章

  • 中小型研发团队对于架构的选择与思考

    摘要:框架篇即中间件或工具的使用,如缓存消息队列集中式日志度量微服务框架等,工欲善其事,必先利其器。 如果你正好处在中小型研发团队…… 中小型研发团队很多,而社区在中小型研发团队架构实践方面的探讨却很少。中小型研发团队特别是 50 至 200 人的研发团队,在早期的业务探索阶段,更多关注业务逻辑,快速迭代以验证商业模式,很少去关注技术架构。 这时如果继续按照原有的架构及研发模式,会出现大量的...

    xfee 评论0 收藏0
  • MongoDB4.0 windows中安与配置

    摘要:将数据存储在类似的文档中,并且文档中每个串结构可能有所不同。接下来是配置数据库的路径。输入,提示服务启动成功提示服务停止。表示服务配置成功。参考掘金与对比菜鸟教程教程在下的安装与服务配置 前言 本文主要内容为:*MongoDB是什么MongoDB4.0 在windows中安装与配置会重点提到MongoDB4.0 在windows中安装与配置中遇到的一些坑* mongoDB是什么 mon...

    rockswang 评论0 收藏0
  • MongoDB4.0 windows中安与配置

    摘要:将数据存储在类似的文档中,并且文档中每个串结构可能有所不同。接下来是配置数据库的路径。输入,提示服务启动成功提示服务停止。表示服务配置成功。参考掘金与对比菜鸟教程教程在下的安装与服务配置 前言 本文主要内容为:*MongoDB是什么MongoDB4.0 在windows中安装与配置会重点提到MongoDB4.0 在windows中安装与配置中遇到的一些坑* mongoDB是什么 mon...

    刘东 评论0 收藏0
  • OSX EI Captain中安Pear等三方软件不成功的解决方法

    摘要:最近更新到最新的系统后,在本地用开发的时候发现苹果自带的被重置了,所以之前的安装的扩展都没了,本来是自带包的,以为安装上包后用能很快把要用的扩展装上。 最近Mac更新到最新的OS X EI captain系统后, 在本地用PHP开发的时候发现苹果自带的PHP被重置了,所以之前的安装的PHP扩展都没了,本来Mac是自带pear包的,以为安装上PEAR包后用PECL能很快把要用的扩展装上。...

    Markxu 评论0 收藏0
  • C++程序运行过程中发生异常闪退,很有可能是这三个原因导致的

    摘要:当出现这种运行一段时间后的异常闪退,很有可能是以下三种原因导致的。程序在运行过程中发生异常或者闪退,可能就是有线程发生栈溢出导致的。 目录 1、综述 2、GDI对象泄露 3、Stack Overflow线程栈溢出 4、内存泄露        Windows应用软件在交付给客户使用或者试用后,...

    Kross 评论0 收藏0

发表评论

0条评论

最新活动
阅读需要支付1元查看
<