摘要:文章目录问题描述解决步骤安装和检查环境并确保安装了把放入同级文件夹下放到安装目录下的文件夹下开启,切换到下,执行注册命令系统会弹窗显示成功。
Win+R
输入cmd
,输入python
,查看是否已经安装了Python2.x.x,如未安装需要先安装Python2.x环境Mona.py,windbglib.py
放入Windbg.exe同级文件夹下,pykd.pyd
放到windbg安装目录下的winext
文件夹下C:/Program Files/Common Files/Microsoft Shared/VC下,
执行注册命令 regsvr32 msdia90.dll
系统会弹窗显示成功。0:003> .load pykd.pyd0:003> !py mona** Warning, no symbol path set ! ** I"ll set the symbol path to srv*c:/symbols*http://msdl.microsoft.com/download/symbols************* Symbol Path validation summary **************Response Time (ms) LocationDeferred srv*c:/symbols*http://msdl.microsoft.com/download/symbols Symbol path set, now reloading symbols... All set. Please restart WinDBG.Hold on...[+] Command used:!py mona.py "mona" - Exploit Development Swiss Army Knife - WinDBG (32bit) Plugin version : 2.0 r616 Python version : 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)] PyKD version 0.2.0.29 Written by Corelan - https://www.corelan.be Project page : https://github.com/corelan/mona |------------------------------------------------------------------| | | | _____ ___ ____ ____ ____ _ | | / __ `__ // __ // __ // __ `/ https://www.corelan.be | | / / / / / / /_/ / / / / /_/ / https://www.corelan-training.com| | /_/ /_/ /_//____/_/ /_//__,_/ #corelan (Freenode IRC) | | | |------------------------------------------------------------------|Global options :----------------You can use one or more of the following global options on any command that will performa search in one or more modules, returning a list of pointers : -n : Skip modules that start with a null byte. If this is too broad, use option -cp nonull instead -o : Ignore OS modules -p <nr> : Stop search after <nr> pointers. -m <module,module,...> : only query the given modules. Be sure what you are doing ! You can specify multiple modules (comma separated) Tip : you can use -m * to include all modules. All other module criteria will be ignored Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah, blah or *blah* = contains blah -cm <crit,crit,...> : Apply some additional criteria to the modules to query. You can use one or more of the following criteria : aslr,safeseh,rebase,nx,os You can enable or disable a certain criterium by setting it to true or false Example : -cm aslr=true,safeseh=false Suppose you want to search for p/p/r in aslr enabled modules, you could call !mona seh -cm aslr -cp <crit,crit,...> : Apply some criteria to the pointers to return Available options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev Note : Multiple criteria will be evaluated using "AND", except if you are looking for unicode + one crit -cpb "/x00/x01" : Provide list with bad chars, applies to pointers You can use .. to indicate a range of bytes (in between 2 bad chars) -x <access> : Specify desired access level of the returning pointers. If not specified, only executable pointers will be returned. Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or *Usage :------- !mona <command> <parameter>Available commands and parameters :? / eval | Evaluate an expressionallocmem / alloc | Allocate some memory in the processassemble / asm | Convert instructions to opcode. Separate multiple instructions with #bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointersbreakfunc / bf | Set a breakpoint on an exported function in on or more dll"sbreakpoint / bp | Set a memory breakpoint on read/write or execute of a given addressbytearray / ba | Creates a byte array, can be used to find bad characterschangeacl / ca | Change the ACL of a given pagecompare / cmp | Compare a file created by msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memoryconfig / conf | Manage configuration file (mona.ini)copy / cp | Copy bytes from one location to anotherdump | Dump the specified range of memory to a filedumplog / dl | Dump objects present in alloc/free log filedumpobj / do | Dump the contents of an objectegghunter / egg | Create egghunter codeencode / enc | Encode a series of bytesfilecompare / fc | Compares 2 or more files created by mona using the same output commandsfillchunk / fchunk | Fill a heap chunk referenced by a registerfind / f | Find bytes in memoryfindmsp / findmsf | Find cyclic pattern in memoryfindwild / fw | Find instructions in memory, accepts wildcardsflow / flw | Simulate execution flows, including all branch combinationsfwptr / fwp | Find Writeable Pointers that get calledgeteat / eat | Show EAT of selected module(s)getiat / iat | Show IAT of selected module(s)getpc | Show getpc routines for specific registersgflags / gf | Show current GFlags settings from PEB.NtGlobalFlagheader | Read a binary file and convert content to a nice "header" stringheap | Show heap related informationhelp | show helphidedebug / hd | Attempt to hide the debuggerinfo | Show information about a given address in the context of the loaded applicationinfodump / if | Dumps specific parts of memory to filejmp / j | Find pointers that will allow you to jump to a registerjop | Finds gadgets that can be used in a JOP exploitjseh | Finds gadgets that can be used to bypass SafeSEHkb / kb | Manage Knowledgebase datamodules / mod | Show all loaded modules and their propertiesnoaslr | Show modules that are not aslr or rebasednosafeseh | Show modules that are not safeseh protectednosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebasedoffset | Calculate the number of bytes between two addressespageacl / pacl | Show ACL associated with mapped pagespattern_create / pc | Create a cyclic pattern of a given sizepattern_offset / po | Find location of 4 bytes in a cyclic patternpeb / peb | Show location of the PEBrop | Finds gadgets that can be used in a ROP exploit and do ROP magic with themropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chainseh | Find pointers to assist with SEH overwrite exploitssehchain / exchain | Show the current SEH chainskeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploitstackpivot | Finds stackpivots (move stackpointer to controlled area)stacks | Show all stacks for all threads in the running applicationstring / str | Read or write a string from/to memorysuggest | Suggest an exploit buffer structureteb / teb | Show TEB related informationtobp / 2bp | Generate WinDBG syntax to create a logging breakpoint at given locationunicodealign / ua | Generate venetian alignment code for unicode stack buffer overflowupdate / up | Update mona to the latest versionWant more info about a given command ? Run !mona help
1.常见mona命令如下
.load pykd.pyd!py mona
//设置工作目录!py mona config -set workingfolder "D:/mona/"//生成3000个字节的顺序字符串,测试溢出点!py mona pc 3000//获取溢出点偏移!py mona po 0x12345678//查找 jmp esp 指令!py mona jmp -r esp//在kernel32.dll模块中查找 jmp esp指令!py mona jmp -r -esp -m "kernel32.dll"
[1] BugMeOut. 为windbg安装mona.py
[3] 官方的安装说明
[1] WinDbglib+pykd
[2] Mona
[3] pykd
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/123875.html
摘要:框架篇即中间件或工具的使用,如缓存消息队列集中式日志度量微服务框架等,工欲善其事,必先利其器。 如果你正好处在中小型研发团队…… 中小型研发团队很多,而社区在中小型研发团队架构实践方面的探讨却很少。中小型研发团队特别是 50 至 200 人的研发团队,在早期的业务探索阶段,更多关注业务逻辑,快速迭代以验证商业模式,很少去关注技术架构。 这时如果继续按照原有的架构及研发模式,会出现大量的...
摘要:将数据存储在类似的文档中,并且文档中每个串结构可能有所不同。接下来是配置数据库的路径。输入,提示服务启动成功提示服务停止。表示服务配置成功。参考掘金与对比菜鸟教程教程在下的安装与服务配置 前言 本文主要内容为:*MongoDB是什么MongoDB4.0 在windows中安装与配置会重点提到MongoDB4.0 在windows中安装与配置中遇到的一些坑* mongoDB是什么 mon...
摘要:将数据存储在类似的文档中,并且文档中每个串结构可能有所不同。接下来是配置数据库的路径。输入,提示服务启动成功提示服务停止。表示服务配置成功。参考掘金与对比菜鸟教程教程在下的安装与服务配置 前言 本文主要内容为:*MongoDB是什么MongoDB4.0 在windows中安装与配置会重点提到MongoDB4.0 在windows中安装与配置中遇到的一些坑* mongoDB是什么 mon...
摘要:最近更新到最新的系统后,在本地用开发的时候发现苹果自带的被重置了,所以之前的安装的扩展都没了,本来是自带包的,以为安装上包后用能很快把要用的扩展装上。 最近Mac更新到最新的OS X EI captain系统后, 在本地用PHP开发的时候发现苹果自带的PHP被重置了,所以之前的安装的PHP扩展都没了,本来Mac是自带pear包的,以为安装上PEAR包后用PECL能很快把要用的扩展装上。...
摘要:当出现这种运行一段时间后的异常闪退,很有可能是以下三种原因导致的。程序在运行过程中发生异常或者闪退,可能就是有线程发生栈溢出导致的。 目录 1、综述 2、GDI对象泄露 3、Stack Overflow线程栈溢出 4、内存泄露 Windows应用软件在交付给客户使用或者试用后,...
阅读 2239·2021-11-25 09:43
阅读 1520·2021-11-19 09:40
阅读 2220·2021-11-16 11:50
阅读 3025·2021-10-09 09:44
阅读 2858·2021-09-26 09:55
阅读 2617·2019-08-30 13:50
阅读 888·2019-08-29 13:24
阅读 1939·2019-08-26 11:44