Closed huddy1985 closed 7 years ago
Hi, I have a few questions:
!py mona up
to upgrade)!py mona config -set workingfolder "C:\logs\%p"
(adding a backslash between "logs" and "%p")!py mona rop -m kernel32
and see if that works ?thanks
I have the same problem its my log file
================================================================================
Output generated by mona.py v2.0, rev 570 - WinDBG
Corelan Team - https://www.corelan.be
================================================================================
OS : win7, release 6.1.7601
Process being debugged : ConsoleApp (pid 4936)
Current mona arguments: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py rop -m kernel32
================================================================================
2017-04-21 18:37:43
================================================================================
----------------------------------------------------------------------------------------------------------------------------------
Module info :
----------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
0x6c9b0000 | 0x6c9b3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-synch-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll)
0x6df80000 | 0x6df83000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-file-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll)
0x6f950000 | 0x6f953000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-timezone-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll)
0x6c880000 | 0x6c883000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-heap-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll)
0x6de30000 | 0x6df11000 | 0x000e1000 | False | True | True | True | True | 10.0.10586.788 [ucrtbase.DLL] (C:\Windows\SysWOW64\ucrtbase.DLL)
0x01350000 | 0x01357000 | 0x00007000 | False | True | True | True | False | -1.0- [ConsoleApp.exe] (ConsoleApp.exe)
0x6e100000 | 0x6e103000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-localization-l1-2-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll)
0x6c870000 | 0x6c874000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-convert-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll)
0x6fc10000 | 0x6fc14000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-string-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll)
0x6df50000 | 0x6df54000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-runtime-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll)
0x758c0000 | 0x759d0000 | 0x00110000 | False | True | True | True | True | 6.1.7601.23714 [kernel32.dll] (C:\Windows\syswow64\kernel32.dll)
0x6c4c0000 | 0x6c4c5000 | 0x00005000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-math-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll)
0x6f4e0000 | 0x6f4e3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-file-l2-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll)
0x6ab00000 | 0x6ab15000 | 0x00015000 | False | True | True | True | True | 14.0.24215.1 [VCRUNTIME140.dll] (C:\Windows\SysWOW64\VCRUNTIME140.dll)
0x77010000 | 0x77190000 | 0x00180000 | False | True | True | True | True | 6.1.7601.23714 [ntdll.dll] (ntdll.dll)
0x6df30000 | 0x6df34000 | 0x00004000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-stdio-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll)
0x6aae0000 | 0x6aae3000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-crt-locale-l1-1-0.dll] (C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll)
0x75b00000 | 0x75b47000 | 0x00047000 | False | True | True | True | True | 6.1.7601.23714 [KERNELBASE.dll] (C:\Windows\syswow64\KERNELBASE.dll)
0x6df70000 | 0x6df73000 | 0x00003000 | False | True | True | True | True | 10.0.10586.788 [api-ms-win-core-processthreads-l1-1-1.dll] (C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll)
----------------------------------------------------------------------------------------------------------------------------------
- Progress update : 500 / 4022 items processed (Fri 2017/04/21 06:38:11 PM) - (12%)
- Progress update : 1000 / 4022 items processed (Fri 2017/04/21 06:38:30 PM) - (24%)
- Progress update : 1500 / 4022 items processed (Fri 2017/04/21 06:38:48 PM) - (37%)
- Progress update : 2000 / 4022 items processed (Fri 2017/04/21 06:39:06 PM) - (49%)
- Progress update : 2500 / 4022 items processed (Fri 2017/04/21 06:39:29 PM) - (62%)
- Progress update : 3000 / 4022 items processed (Fri 2017/04/21 06:39:54 PM) - (74%)
- Progress update : 3500 / 4022 items processed (Fri 2017/04/21 06:40:17 PM) - (87%)
- Progress update : 4000 / 4022 items processed (Fri 2017/04/21 06:40:41 PM) - (99%)
- Progress update : 4022 / 4022 items processed (Fri 2017/04/21 06:40:43 PM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
Attempting to create rop chain proposals
- Attempting to produce rop chain for VirtualProtect
* Enumerating ROPFunc info
i use python 2.7.13 and windbg:10.0.14321.1024 x86 with administrator permissions and pykd module PYKD_BOOTSTRAPPER_2.0.0.11
Haven't tried wtih WInDBG 10 yet... just confirmed on Win7, windbg 8.0, that the process completes fine (using iexplore as the application)
I'll see if I can install WinDBG 10 and try it out...
I tried different versions of windbg for windows 7, 8.0, 8.1 on my PC and my noteboke,
mona works great for example
!py mona jmp -r esp -m kernel32
But if i use
!py mona rop -m kernel32
Windbg freezes. I can not understand why. I do not have enough knowledge for self-debugging.
So I got the same result in a virtual machine Oracle VM VirtualBox.
I always used windows 7 professional x64, (python 2.7.13 and python 3.6.1)x86 , install pykd from pip and load BOOTSTRAPPER module x86.
Please tell me what I'm doing wrong and how long this stage lasts
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi
Now I'm going to install another version of windows (8 or 10) on a virtual machine and try using mona rop on another modules
Would it be possible to try the same thing using immunity ? (basically, attach to the same process, and run the same command)
also, not sure if it matters, but have you tried installing windbglib/pykd using the exact procedure as explained at https://github.com/corelan/windbglib (instead of using pip) ?
I tried immunity debugger mona built a rop chains in a few seconds).
Faced such a problem:
Unable to create working folder "C:\logs_mona_immunity\iexplore", the debugger program folder will be used instead
Although I run the debugger as an administrator, now trying to solve it.
https://github.com/corelan/windbglib/blob/master/pykd/pykd.zip I started using this module to load pykd.pyd I think the problem was locking the file. I tried to unlock them directly in the Windbg directory but I did not take into account that the folder attributes are set to read only Now everything works but Windbg is very slow Then what is the immunity of the debugger doing in 20 seconds Windbg does in 6 minutes so it should be? Or I again not correctly configured?
Error when using the rop to the ntdll module in the immunity debugger
0BADF00D [+] Command used:
0BADF00D !mona rop -m ntdll
---------- Mona command started on 2017-05-04 22:23:51 (v2.0, rev 570) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Only querying modules ntdll
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Preparing output file '_rop_progress_iexplore.exe_5512.log'
0BADF00D - Creating working folder "C:\logs_mona_immunity\iexplore"
0BADF00D ** Unable to create working folder "C:\logs_mona_immunity\iexplore", the debugger program folder will be used instead
0BADF00D - (Re)setting logfile _rop_progress_iexplore.exe_5512.log
0BADF00D [+] Progress will be written to _rop_progress_iexplore.exe_5512.log
0BADF00D [+] Maximum offset : 40
0BADF00D [+] (Minimum/optional maximum) stackpivot distance : 8
0BADF00D [+] Max nr of instructions : 6
0BADF00D [+] Split output into module rop files ? False
0BADF00D [+] Enumerating 22 endings in 1 module(s)...
0BADF00D - Querying module ntdll.dll
0BADF00D - Search complete :
0BADF00D Ending : RETN 0x02, Nr found : 6
0BADF00D Ending : RETN 0x0C, Nr found : 554
0BADF00D Ending : RETN 0x1C, Nr found : 52
0BADF00D Ending : RETN 0x0A, Nr found : 1
0BADF00D Ending : RETN, Nr found : 2973
0BADF00D Ending : RETN 0x20, Nr found : 38
0BADF00D Ending : RETN 0x18, Nr found : 131
0BADF00D Ending : RETN 0x08, Nr found : 648
0BADF00D Ending : RETN 0x24, Nr found : 25
0BADF00D Ending : RETN 0x28, Nr found : 19
0BADF00D Ending : RETN 0x10, Nr found : 354
0BADF00D Ending : RETN 0x00, Nr found : 45
0BADF00D Ending : RETN 0x14, Nr found : 233
0BADF00D Ending : RETN 0x04, Nr found : 664
0BADF00D - Filtering and mutating 5743 gadgets
0BADF00D - Progress update : 1000 / 5743 items processed (Thu 2017/05/04 10:23:56 PM) - (17%)
0BADF00D - Progress update : 2000 / 5743 items processed (Thu 2017/05/04 10:24:01 PM) - (34%)
0BADF00D - Progress update : 3000 / 5743 items processed (Thu 2017/05/04 10:24:05 PM) - (52%)
0BADF00D - Progress update : 4000 / 5743 items processed (Thu 2017/05/04 10:24:09 PM) - (69%)
0BADF00D - Progress update : 5000 / 5743 items processed (Thu 2017/05/04 10:24:13 PM) - (87%)
0BADF00D ********************************************************************************
Traceback (most recent call last):
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 18207, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 11365, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py", line 6171, in findROPGADGETS
thisopcode = dbg.disasmBackward(endingtypeptr,depth+1)
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\immlib.py", line 669, in disasmBackward
op._getfromtuple( debugger.disasm( backward_address, mode ) )
File "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libanalyze.py", line 114, in _getfromtuple
self.ip=opcode[0] # Instruction pointer
TypeError: 'int' object has no attribute '__getitem__'
0BADF00D ********************************************************************************
in windbg while everything works)
Aaah i was hit by the same issue and found this thread.
With immunity as mentioned above it works fine and generates rop chain very quickly. But with windbg it is painfully slow and if you let it run for long enough (half and hour or more) it can generate ropchain. I tired to trace it with procmon and found that in case of windbg tries to open mona.ini file huge number of times between fetching .pdb for dlls, 1 after other. Most of the delay was because of the events due to reading mona.ini file.
I could try this only on windows 10 x86. Will have to setup and see procmon logs on lower platform to see diff, if that helps in someway.
Here is a snapshot of the same.
thanks for diving into the issue. It is true that mona.py is much slower on windbg, because windbg does not expose an API that allows me to asm/disam in a "efficient" manner. I basically have to use some dirty code in windbglib to simulate what immunity offers. (any tips on improving this, without using external libraries, is more than welcome). Anway, I've added some code in mona.py to avoid reading from mona.ini that often, for sure there is room for improvement there... although I'm not able to see so many interactions with mona.in in the first place on my box. Did you run !py mona rop without specifying a module? (basically, just let it run against all modules) ?
I pushed a new version of mona. Can you run !py mona up and try again with the latest version?
Thnx for the quick patch corelanc0d3r , but looks like the problem still persists here. I have taken the latest patch and started ropchain generation , but it's still stuck at...
- Filtering and mutating 4712 gadgets
- Progress update : 500 / 4712 items processed (Sat 2017/05/27 01:49:35 PM) - (10%)
- Progress update : 1000 / 4712 items processed (Sat 2017/05/27 01:49:42 PM) - (21%)
- Progress update : 1500 / 4712 items processed (Sat 2017/05/27 01:49:49 PM) - (31%)
- Progress update : 2000 / 4712 items processed (Sat 2017/05/27 01:49:54 PM) - (42%)
- Progress update : 2500 / 4712 items processed (Sat 2017/05/27 01:49:59 PM) - (53%)
- Progress update : 3000 / 4712 items processed (Sat 2017/05/27 01:50:05 PM) - (63%)
- Progress update : 3500 / 4712 items processed (Sat 2017/05/27 01:50:09 PM) - (74%)
- Progress update : 4000 / 4712 items processed (Sat 2017/05/27 01:50:12 PM) - (84%)
- Progress update : 4500 / 4712 items processed (Sat 2017/05/27 01:50:15 PM) - (95%)
- Progress update : 4712 / 4712 items processed (Sat 2017/05/27 01:50:17 PM) - (100%)
[+] Creating suggestions list [+] Processing suggestions [+] Launching ROP generator [+] Attempting to produce rop chain for VirtualProtect Step 1/7: esi <--- stuck here for the last 10-15 min.
Though i noticed this time that the step below took slightly less time, i may be wrong here though.
Pls let me know if you need something else.
And yes i am running it against all the modules !py mona rop
does procmon still show a large amount of attempted reads from mona.ini ?
with regards to Step 1/7:
what process did you attach to ?
what is the exact mona command that you ran ?
OS: Windows 10?
Windbg 8 or 10 ?
I'll set up a box to try to reproduce the issue
thanks
Yes Procmon was still showing a large number of reads from mona.ini as earlier.
I used the application from this exploit. https://www.exploit-db.com/exploits/40760/ My box is Windows 10, x86 build 1703
Commands i ran after attaching to the process from windbg. .load pykd.pyd !py mona rop
I will also try to dig in today sometimes and share if anything else that i can find from my side.
Thanks again.
I was able to reproduce the issue, this is what I have found:
Immunity doesn't use symbols, and frankly mona.py itself doesn't really need symbols (but pykd does). That's another reason why the process is faster on immunity.
So, taking those things into consideration, you can speed up the process by
Additionally, I have made some changes to mona.py to help speed up the process as well. I'm testing the changes internally first, will push an updated version soon
ok, made a couple of changes, can you please test ? thanks
Great, looks like latest change seems to have made it a lot faster.
It took total 5 minutes to generate the whole chain for all the functions. [+] Searching from 0x77d4d001 to 0x7fffffff Sun 2017/05/28 11:31:43 AM: Step 2/7: ebp Sun 2017/05/28 11:31:43 AM: Step 3/7: ebx Sun 2017/05/28 11:31:43 AM: Step 4/7: edx Sun 2017/05/28 11:31:43 AM: Step 5/7: ecx Sun 2017/05/28 11:31:43 AM: Step 6/7: edi Sun 2017/05/28 11:31:43 AM: Step 7/7: eax [+] Preparing output file 'easyproxy.exe_virtualprotect.xml'
Got this ropchain for VirtualProtect quite fast this time....in about 2 min. after firing the command
ROP generator finished
[+] Writing stackpivots to file C:\logs\easyproxy\stackpivot.txt Wrote 4547 pivots to file [+] Writing suggestions to file C:\logs\easyproxy\rop_suggestions.txt Wrote 1096 suggestions to file [+] Writing results to file C:\logs\easyproxy\rop.txt (9082 interesting gadgets) Wrote 9082 interesting gadgets to file [+] Writing other gadgets to file C:\logs\easyproxy\rop.txt (13789 gadgets) Wrote 13789 other gadgets to file Done
[+] This mona.py action took 0:04:12.298000
Just another thing to mention, i have most of the symbols cached to my C;\My\Sym directory. That might have also speeded up the process but overall this was pretty fast this time, thanks a lot 👍
cool, for something that used to take hours (manually), I think 4 minutes seems reasonable :)
I'll close the issue, feel free to reopen if the issue is not solved anyway
Sure and thanks again , really appreciate 👍
When I using the mona.py to create the Rop chains, then it stop at this pos: [+] Creating suggestions list [+] Processing suggestions [+] Launching ROP generator [+] Attempting to produce rop chain for VirtualProtect Step 1/7: esi I am waiting for many hours, and still pause at there.
The env: pykd 0.3 The Os: windows 8 The python: python 2.7 The commands: .load pykd !py mona !py mona config -set workingfolder "C:\logs\%p" !py mona rop -m kernel32.dll,ntdll,msvcr120.dll