Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
Mona.py for exploit devs: 6 must know commands

Uday Mittal July 23, 2019 Leave a Comment

Mona.py for exploit devs: 6 must know commands

When it comes to exploit development for Microsoft Windows, Mona.py is the go to library for most security researchers. In this post I list six commands that I use often. Watch the video for demonstration.

What is Mona.py?

  • A pycommand for Immunity Debugger, designed and developed to aid the exploit development process
  • Automates various tasks such as address search, pattern generation and comparison, egg hunter generation etc.
  • Replaces pvefindaddr
  • Developed by Corelanc0d3r (Peter Van Eeckhoutte)
  • Official link: http://bit.ly/mona-py

Command 1: Set workingfolder

  • Sets the working directory for mona to store command output and related files:
    • !mona config -set workingfolder c:\logs\%p
  • This will tell mona to write the output to subfolders of c:\logs. The %p variable will be replaced with the process name currently being debugged.
  • If you want to further group output, you can even use the %i variable in the workingfolder parameter. This variable will get replaced with the process ID of the application being debugged.

Command 2: bytearray

  • Generates an array of hex bytes from \x00 to \xff (except for the excluded ones):
    • !mona bytearray
  • Produces two files: text and binary
  • Takes two flags:
    • -b – to exclude bytes from array
    • -r – to output array in the reverse order (\xff..\x00)
  • Use compare command to automate the comparison process:
    • !mona compare –f <filename> -a <address>

Command 3: pc, po & findmsp

  • Generates a cyclic pattern (Metasploit pattern) of a given size and length:
    • !mona pc <length>
  • Locates given four bytes in a cyclic pattern and returns the offset:
    • !mona po <bytes>
  • Find instances of the cyclic pattern:
    • !mona findmsp
  • Optional argument:
    • -distance Sets the distance from ESP to begin search from

Command 4: egg

  • Creates an egghunter routine with a default tag (w00t):
    • !mona egg
  • Optional arguments:
    • -t : tag (ex: w00t). Default value is w00t
    • -c : enable checksum routine. Only works in conjunction with parameter -f
    • -f : file containing the shellcode
    • -depmethod : method can be “virtualprotect”, “copy” or “copy_size”
    • -depreg : sets the register that contains a pointer to the API function to bypass DEP. By default this register is set to ESI
    • -depsize : sets the size for the dep bypass routine
    • -depdest : this register points to the location of the egghunter itself.

Command 5: jmp

  • Searches for pointers that will lead to execution of the code located at the address pointed by a given register:
    • !mona jmp –r <register>
  • Default module criteria : skip aslr and rebase modules. The search will include OS modules by default, but this can be overruled by using the -cm os=false global option.

Command 6: seh

  • Searches for pointers to routines that will lead to code execution in a SEH overwrite exploit:
    • !mona seh
  • By default, it will attempt to bypass SafeSEH by excluding pointers from rebase, aslr and safeseh protected modules.
  • The optional -all parameter, if specified, will also search for pointers in memory locations outside of loaded modules.

Watch the video

Learn the art of exploit development

If you want to learn the art of exploit development check out our Hands-on courses:

  • Hands-on Exploit Development
  • Hands-on Exploit Development (Advanced)

You can enroll in both courses at USD $10 each using the above links. You can also use the coupon code YCSCSALE3570 for the same.

Also check out our free course:

  • Immunity Debugger for Exploit Devs – YCSC Lab Essentials

Related Posts

  • Book Review: Ethical HackingBook Review: Ethical Hacking
  • Book Review: How to Hack Like a LEGENDBook Review: How to Hack Like a LEGEND
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Hacks, Technology Tagged With: bad character analysis, corelan, corelancoder, Cyber Security, ethical hacking, exploit development, immunity debugger, infosec, mona library, offensive security, osce, oscp, Peter Van Eeckhoutte

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands
  • What is Adversary Emulation?
    What is Adversary Emulation?
  • Build Your Career in Cyber Security
    Build Your Career in Cyber Security
  • CISA: Everything You Need to Know
    CISA: Everything You Need to Know
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress