Closed modpr0be closed 4 years ago
modpr0be
commented
4 years ago Forgot to mention, I was running mona rop during crash dump analysis (not attach the process). The program generate child process which can't reproduce same crash as the in the crash dump. I'm using procdump to dump the crash dump.
corelanc0d3r
commented
4 years ago Hey Thomas, hope you're well!
At first sight, this looks like a symbols issue to me - would it be possible to check/confirm that symbols are working correctly? (I know there are issues with the MS symbols starting Win10 build 1903/1909 if I recall correctly. There is a (dirty, but working) workaround here: https://github.com/corelan/CorelanTraining#peb-produces-error-3-inittyperead-on-windows-10-19031909
Hope this helps
modpr0be
commented
4 years ago Hey Peter, thanks for asking, hope you're well too!
I already address the issue of !peb at the first place (during setup and installation of mona, pykd, and windbglib). There were no errors related to PEB at xxxxxxxx error 3 InitTypeRead. !peb and mona run very well.
I notice that all file DLLs are renamed by the developer and have .bpl extension, is it maybe the cause why the MS symbols complaining?
corelanc0d3r
commented
4 years ago I don't know if renaming the dll to bpl makes a difference... just for the sake of ruling out things: can you run mona rop against another 32bit app, and see if that works? If that works, can you write a simple C++ application that does a loadlibrary on one of the .bpl files... and then see if mona rop still works
modpr0be
commented
4 years ago I don't know if renaming the dll to bpl makes a difference... just for the sake of ruling out things: can you run mona rop against another 32bit app, and see if that works? If that works, can you write a simple C++ application that does a loadlibrary on one of the .bpl files... and then see if mona rop still works
Mona ran well against another application, but those apps load DLLs that has symbols (and it resolved too). Another thing, If I passed the -fast option it works but no rop chain.
modpr0be
commented
4 years ago I don't understand what you mean by this: "If that works, can you write a simple C++ application that does a loadlibrary on one of the .bpl files... and then see if mona rop still works".
I mean, what results should be expected by doing a loadlibrary to .bpl files and the relation with mona?
Same errors generated when using Win7 and Windbg 6.12.0002.633
*** ERROR: Module load completed but symbols could not be loaded for vcl100.bpl
*** ERROR: Module load completed but symbols could not be loaded for rtl100.bpl
*** ERROR: Module load completed but symbols could not be loaded for vcl100.bpl
*** ERROR: Module load completed but symbols could not be loaded for rtl100.bpl
*** ERROR: Module load completed but symbols could not be loaded for vcl100.bpl
Traceback (most recent call last):
File "mona.py", line 2951, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found
** Error trying to process module vclie100.bpl
** Error trying to process module vclie100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module vcldb100.bpl
** Error trying to process module vcldb100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JvCore100.bpl
** Error trying to process module JvCore100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module ibxpress100.bpl
** Error trying to process module ibxpress100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module TeeImage710.bpl
** Error trying to process module TeeImage710.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module dbrtl100.bpl
** Error trying to process module dbrtl100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Oops - It seems that PyKD was unable problem to get the PEB object.
This usually means that
1. msdiaxxx.dll has not been registered correctly and/or
2. symbols are missing for ntdll.dll
Possible solutions:
-------------------
1. Re-register the VC runtime library:
* For PyKd v0.2.0.29:
(Re)Install the x86 VC++ Redistributable Package for Visual Studio 2008
(https://www.microsoft.com/en-us/download/details.aspx?id=29)
Next, run the following command from an administrator prompt:
(x86) regsvr32.exe "%ProgramFiles%\Common Files\microsoft shared\VC\msdia90.dll"
(x64) regsvr32.exe "%ProgramFiles(x86)%\Common Files\microsoft shared\VC\msdia90.dll"
2. Force download of the Symbols for ntdll.dll
* Connect to the internet, and verify that the symbol path is configured correctly
Assuming that the local symbol path is set to c:\symbols,
run the following command from within the windbg application folder
symchk /r c:\windows\system32\ntdll.dll /s SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Restart windbg and try again
Traceback (most recent call last):
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1210, in getImageNameForModule
moduleLst = getModulesFromPEB()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 357, in getModulesFromPEB
peb = getPEBInfo()
File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 164, in getPEBInfo
exit(1)
File "C:\Python27\Lib\site.py", line 351, in __call__
raise SystemExit(code)
SystemExit: 1
** Error trying to process module kernelbase.dll
** Error trying to process module ZahirSaldoAwal.bpl
** Error trying to process module ZahirSaldoAwal.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module ZDongle.dll
** Error trying to process module ZDongle.dll
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module IndyCore100.bpl
** Error trying to process module IndyCore100.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module tmsexd2006.bpl
** Error trying to process module tmsexd2006.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module IboAdminD10.bpl
** Error trying to process module IboAdminD10.bpl
Traceback (most recent call last):
File "mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module ZahirSaldoAwal.bpl
********************************************************************************
Traceback (most recent call last):
File "mona.py", line 19097, in main
commands[command].parseProc(opts)
File "mona.py", line 12050, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
File "mona.py", line 6558, in findROPGADGETS
vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
File "mona.py", line 8812, in createRopChains
thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
File "mona.py", line 9572, in getPickupGadget
allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
File "mona.py", line 7601, in findPattern
outside = getRangesOutsideModules()
File "mona.py", line 5344, in getRangesOutsideModules
populateModuleInfo()
File "mona.py", line 5818, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2720, in __init__
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
********************************************************************************This activity generated in 12 hours LOL. I can still craft manually but yeah mona ropchain is the one I really expect for this lol
corelanc0d3r
commented
4 years ago I'll install the app and check it out - I'll keep you posted
corelanc0d3r
commented
4 years ago I have installed the app (and the update) and attached windbg to the application. Didn't trigger overflow or anything, just curious to see what would happen. Ran !py mona modules and !py mona rop. Both worked fine. (I didn't care about badchars at this point). Of course, the .bpl files were not loaded at this time.
0:004> .load pykd.pyd
0:004> !py mona modules
Hold on...
[+] Command used:
!py mona.py modules
---------- Mona command started on 2020-07-11 08:45:38 (v2.0, rev 600) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
-----------------------------------------------------------------------------------------------------------------------------------------
Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
0x77830000 | 0x7792a000 | 0x000fa000 | True | False | True | True | True | 10.0.17763.771 [COMDLG32.dll] (C:\Windows\System32\COMDLG32.dll)
0x757a0000 | 0x757b7000 | 0x00017000 | True | True | True | True | True | 10.0.17763.1 [win32u.dll] (C:\Windows\System32\win32u.dll)
0x74fc0000 | 0x75040000 | 0x00080000 | True | False | True | True | True | 10.0.17763.1 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll)
0x776c0000 | 0x77826000 | 0x00166000 | True | False | True | True | True | 10.0.17763.914 [gdi32full.dll] (C:\Windows\System32\gdi32full.dll)
0x75580000 | 0x75718000 | 0x00198000 | True | False | True | True | True | 10.0.17763.973 [CRYPT32.dll] (C:\Windows\System32\CRYPT32.dll)
0x754e0000 | 0x754ee000 | 0x0000e000 | True | True | True | True | True | 10.0.17763.1 [MSASN1.dll] (C:\Windows\System32\MSASN1.dll)
0x75900000 | 0x759c0000 | 0x000c0000 | True | False | True | True | True | 7.0.17763.475 [msvcrt.dll] (C:\Windows\System32\msvcrt.dll)
0x74f90000 | 0x74f9a000 | 0x0000a000 | True | True | True | True | True | 10.0.17763.1 [CRYPTBASE.dll] (C:\Windows\System32\CRYPTBASE.dll)
0x749e0000 | 0x74a06000 | 0x00026000 | True | False | True | True | True | 10.0.17763.719 [dwmapi.dll] (C:\Windows\system32\dwmapi.dll)
0x77940000 | 0x77adc000 | 0x0019c000 | True | False | True | True | True | 10.0.17763.1039 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0x76f70000 | 0x76fb4000 | 0x00044000 | True | False | True | True | True | 10.0.17763.1 [shlwapi.dll] (C:\Windows\System32\shlwapi.dll)
0x766b0000 | 0x766c2000 | 0x00012000 | True | False | True | True | True | 10.0.17763.1 [cryptsp.dll] (C:\Windows\System32\cryptsp.dll)
0x77480000 | 0x774a5000 | 0x00025000 | True | False | True | True | True | 10.0.17763.719 [IMM32.DLL] (C:\Windows\System32\IMM32.DLL)
0x75440000 | 0x7544f000 | 0x0000f000 | True | False | True | True | True | 10.0.17763.1 [kernel.appcore.dll] (C:\Windows\System32\kernel.appcore.dll)
0x73620000 | 0x7362f000 | 0x0000f000 | True | False | True | True | True | 10.0.17763.1 [sfc_os.DLL] (C:\Windows\SYSTEM32\sfc_os.DLL)
0x766d0000 | 0x766e9000 | 0x00019000 | True | False | True | True | True | 10.0.17763.1 [bcrypt.dll] (C:\Windows\System32\bcrypt.dll)
0x75720000 | 0x75799000 | 0x00079000 | True | False | True | True | True | 10.0.17763.1 [sechost.dll] (C:\Windows\System32\sechost.dll)
0x74b00000 | 0x74c7f000 | 0x0017f000 | True | False | True | True | True | 7.0.17763.719 [PROPSYS.dll] (C:\Windows\SYSTEM32\PROPSYS.dll)
0x77160000 | 0x7719b000 | 0x0003b000 | True | False | True | True | True | 10.0.17763.1 [cfgmgr32.dll] (C:\Windows\System32\cfgmgr32.dll)
0x751e0000 | 0x752c0000 | 0x000e0000 | True | False | True | True | True | 10.0.17763.475 [KERNEL32.DLL] (C:\Windows\System32\KERNEL32.DLL)
0x74fa0000 | 0x74fc0000 | 0x00020000 | True | False | True | True | True | 10.0.17763.1 [SspiCli.dll] (C:\Windows\System32\SspiCli.dll)
0x760d0000 | 0x7614e000 | 0x0007e000 | True | False | True | True | True | 10.0.17763.1 [advapi32.dll] (C:\Windows\System32\advapi32.dll)
0x766f0000 | 0x76cee000 | 0x005fe000 | True | False | True | True | True | 10.0.17763.1007 [windows.storage.dll] (C:\Windows\System32\windows.storage.dll)
0x75040000 | 0x751da000 | 0x0019a000 | True | False | True | True | True | 10.0.17763.1039 [USER32.dll] (C:\Windows\System32\USER32.dll)
0x706b0000 | 0x706c8000 | 0x00018000 | True | False | True | True | True | 10.0.17763.404 [MPR.dll] (C:\Windows\SYSTEM32\MPR.dll)
0x76cf0000 | 0x76f67000 | 0x00277000 | True | False | True | True | True | 10.0.17763.1007 [combase.dll] (C:\Windows\System32\combase.dll)
0x74ac0000 | 0x74af3000 | 0x00033000 | True | False | True | True | True | 10.0.17763.615 [IPHLPAPI.DLL] (C:\Windows\SYSTEM32\IPHLPAPI.DLL)
0x00400000 | 0x01731000 | 0x01331000 | False | False | False | False | False | 6.0.0.1 [ZahirApp6.exe] (C:\Program Files (x86)\Zahir Personal 6 - Demo Version\ZahirApp6.exe)
0x6aac0000 | 0x6ab5c000 | 0x0009c000 | True | False | True | True | True | 10.0.17763.292 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll)
0x74a10000 | 0x74a8b000 | 0x0007b000 | True | False | True | True | True | 10.0.17763.1007 [uxtheme.dll] (C:\Windows\system32\uxtheme.dll)
0x77530000 | 0x775c6000 | 0x00096000 | True | False | True | True | True | 10.0.17763.914 [OLEAUT32.dll] (C:\Windows\System32\OLEAUT32.dll)
0x774b0000 | 0x774cc000 | 0x0001c000 | True | False | True | True | True | 10.0.17763.1 [profapi.dll] (C:\Windows\System32\profapi.dll)
0x76150000 | 0x766a3000 | 0x00553000 | True | False | True | True | True | 10.0.17763.1007 [SHELL32.dll] (C:\Windows\System32\SHELL32.dll)
0x759c0000 | 0x75a7f000 | 0x000bf000 | True | False | True | True | True | 10.0.17763.864 [RPCRT4.dll] (C:\Windows\System32\RPCRT4.dll)
0x754f0000 | 0x75579000 | 0x00089000 | True | False | True | True | True | 10.0.17763.1 [shcore.dll] (C:\Windows\System32\shcore.dll)
0x71da0000 | 0x71faf000 | 0x0020f000 | True | False | True | True | True | 6.10.17763.1039 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1039_none_261d4d2767c89927\COMCTL32.dll)
0x757c0000 | 0x758fc000 | 0x0013c000 | True | False | True | True | True | 10.0.17763.1007 [MSCTF.dll] (C:\Windows\System32\MSCTF.dll)
0x66680000 | 0x66683000 | 0x00003000 | False | True | True | True | True | 10.0.17763.1 [sfc.dll] (C:\Windows\SYSTEM32\sfc.dll)
0x75ed0000 | 0x760c9000 | 0x001f9000 | True | False | True | True | True | 10.0.17763.914 [KERNELBASE.dll] (C:\Windows\System32\KERNELBASE.dll)
0x77200000 | 0x77262000 | 0x00062000 | True | False | True | True | True | 10.0.17763.678 [bcryptPrimitives.dll] (C:\Windows\System32\bcryptPrimitives.dll)
0x76fd0000 | 0x770f2000 | 0x00122000 | True | True | True | True | True | 10.0.17763.719 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll)
0x77450000 | 0x77473000 | 0x00023000 | True | True | True | True | True | 10.0.17763.592 [GDI32.dll] (C:\Windows\System32\GDI32.dll)
0x6b190000 | 0x6b417000 | 0x00287000 | True | False | True | True | True | 10.0.17763.292 [AcLayers.DLL] (C:\Windows\SYSTEM32\AcLayers.DLL)
0x74e80000 | 0x74eeb000 | 0x0006b000 | True | False | True | True | True | 10.0.17763.592 [WINSPOOL.DRV] (C:\Windows\SYSTEM32\WINSPOOL.DRV)
0x774d0000 | 0x77524000 | 0x00054000 | True | False | True | True | True | 10.0.17763.1 [powrprof.dll] (C:\Windows\System32\powrprof.dll)
0x75a80000 | 0x75ecb000 | 0x0044b000 | True | False | True | True | True | 10.0.17763.404 [SETUPAPI.dll] (C:\Windows\System32\SETUPAPI.dll)
-----------------------------------------------------------------------------------------------------------------------------------------
[+] This mona.py action took 0:00:00.406000
0:004> !py mona rop
Hold on...
[+] Command used:
!py mona.py rop
---------- Mona command started on 2020-07-11 08:45:44 (v2.0, rev 600) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_ZahirApp6.exe_4276.log'
- Creating working folder c:\logs\ZahirApp6
- Folder created
- (Re)setting logfile c:\logs\ZahirApp6\_rop_progress_ZahirApp6.exe_4276.log
[+] Progress will be written to _rop_progress_ZahirApp6.exe_4276.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Enumerating 22 endings in 1 module(s)...
- Querying module ZahirApp6.exe
- Search complete :
Ending : RETN 0x1A, Nr found : 1
Ending : RETN 0x0C, Nr found : 133
Ending : RETN 0x1C, Nr found : 29
Ending : RETN 0x0A, Nr found : 1
Ending : RETN, Nr found : 5266
Ending : RETN 0x0E, Nr found : 1
Ending : RETN 0x20, Nr found : 66
Ending : RETN 0x18, Nr found : 15
Ending : RETN 0x08, Nr found : 380
Ending : RETN 0x24, Nr found : 9
Ending : RETN 0x26, Nr found : 1
Ending : RETN 0x02, Nr found : 3
Ending : RETN 0x10, Nr found : 63
Ending : RETN 0x00, Nr found : 21
Ending : RETN 0x28, Nr found : 4
Ending : RETN 0x14, Nr found : 22
Ending : RETN 0x04, Nr found : 842
- Filtering and mutating 6857 gadgets
- Progress update : 1000 / 6857 items processed (Sat 2020/07/11 08:50:00 AM) - (14%)
- Progress update : 2000 / 6857 items processed (Sat 2020/07/11 08:50:12 AM) - (29%)
- Progress update : 3000 / 6857 items processed (Sat 2020/07/11 08:51:01 AM) - (43%)
- Progress update : 4000 / 6857 items processed (Sat 2020/07/11 08:51:21 AM) - (58%)
- Progress update : 5000 / 6857 items processed (Sat 2020/07/11 08:52:57 AM) - (72%)
- Progress update : 6000 / 6857 items processed (Sat 2020/07/11 08:53:41 AM) - (87%)
- Progress update : 6857 / 6857 items processed (Sat 2020/07/11 08:53:47 AM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
[+] Attempting to produce rop chain for VirtualProtect
Sat 2020/07/11 08:53:53 AM: Step 1/7: esi
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
[+] Searching from 0x00400000 to 0x01731000
[+] Searching from 0x00000000 to 0x003fffff
[+] Searching from 0x01731001 to 0x6667ffff
[+] Searching from 0x66683001 to 0x6aabffff
[+] Searching from 0x6ab5c001 to 0x6b18ffff
[+] Searching from 0x6b417001 to 0x706affff
[+] Searching from 0x706c8001 to 0x71d9ffff
[+] Searching from 0x71faf001 to 0x7361ffff
[+] Searching from 0x7362f001 to 0x749dffff
[+] Searching from 0x74a06001 to 0x74a0ffff
[+] Searching from 0x74a8b001 to 0x74abffff
[+] Searching from 0x74af3001 to 0x74afffff
[+] Searching from 0x74c7f001 to 0x74e7ffff
[+] Searching from 0x74eeb001 to 0x74f8ffff
[+] Searching from 0x74f9a001 to 0x74f9ffff
[+] Searching from 0x74fc0001 to 0x74fbffff
[+] Searching from 0x75040001 to 0x7503ffff
[+] Searching from 0x751da001 to 0x751dffff
[+] Searching from 0x752c0001 to 0x7543ffff
[+] Searching from 0x7544f001 to 0x754dffff
[+] Searching from 0x754ee001 to 0x754effff
[+] Searching from 0x75579001 to 0x7557ffff
[+] Searching from 0x75718001 to 0x7571ffff
[+] Searching from 0x75799001 to 0x7579ffff
[+] Searching from 0x757b7001 to 0x757bffff
[+] Searching from 0x758fc001 to 0x758fffff
[+] Searching from 0x759c0001 to 0x759bffff
[+] Searching from 0x75a7f001 to 0x75a7ffff
[+] Searching from 0x75ecb001 to 0x75ecffff
[+] Searching from 0x760c9001 to 0x760cffff
[+] Searching from 0x7614e001 to 0x7614ffff
[+] Searching from 0x766a3001 to 0x766affff
[+] Searching from 0x766c2001 to 0x766cffff
[+] Searching from 0x766e9001 to 0x766effff
[+] Searching from 0x76cee001 to 0x76ceffff
[+] Searching from 0x76f67001 to 0x76f6ffff
[+] Searching from 0x76fb4001 to 0x76fcffff
[+] Searching from 0x770f2001 to 0x7715ffff
[+] Searching from 0x7719b001 to 0x771fffff
[+] Searching from 0x77262001 to 0x7744ffff
[+] Searching from 0x77473001 to 0x7747ffff
[+] Searching from 0x774a5001 to 0x774affff
[+] Searching from 0x774cc001 to 0x774cffff
[+] Searching from 0x77524001 to 0x7752ffff
[+] Searching from 0x775c6001 to 0x776bffff
[+] Searching from 0x77826001 to 0x7782ffff
[+] Searching from 0x7792a001 to 0x7793ffff
[+] Searching from 0x77adc001 to 0x7fffffff
Sat 2020/07/11 08:55:02 AM: Step 2/7: ebp
Sat 2020/07/11 08:55:03 AM: Step 3/7: ebx
Sat 2020/07/11 08:55:03 AM: Step 4/7: edx
Sat 2020/07/11 08:55:03 AM: Step 5/7: ecx
Sat 2020/07/11 08:55:03 AM: Step 6/7: edi
Sat 2020/07/11 08:55:03 AM: Step 7/7: eax
[+] Preparing output file 'ZahirApp6.exe_virtualprotect.xml'
- (Re)setting logfile c:\logs\ZahirApp6\ZahirApp6.exe_virtualprotect.xml
[+] Attempting to produce rop chain for SetInformationProcess
Sat 2020/07/11 08:55:03 AM: Step 1/6: ebp
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
Sat 2020/07/11 08:55:46 AM: Step 2/6: edx
Sat 2020/07/11 08:55:46 AM: Step 3/6: ecx
Sat 2020/07/11 08:55:46 AM: Step 4/6: ebx
Sat 2020/07/11 08:55:46 AM: Step 5/6: eax
Sat 2020/07/11 08:55:46 AM: Step 6/6: edi
[+] Attempting to produce rop chain for SetProcessDEPPolicy
Sat 2020/07/11 08:55:46 AM: Step 1/3: ebp
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
Sat 2020/07/11 08:56:28 AM: Step 2/3: ebx
Sat 2020/07/11 08:56:28 AM: Step 3/3: edi
[+] Attempting to produce rop chain for VirtualAlloc
Sat 2020/07/11 08:56:28 AM: Step 1/7: esi
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
[+] Searching from 0x00400000 to 0x01731000
[+] Searching from 0x00000000 to 0x003fffff
[+] Searching from 0x01731001 to 0x6667ffff
[+] Searching from 0x66683001 to 0x6aabffff
[+] Searching from 0x6ab5c001 to 0x6b18ffff
[+] Searching from 0x6b417001 to 0x706affff
[+] Searching from 0x706c8001 to 0x71d9ffff
[+] Searching from 0x71faf001 to 0x7361ffff
[+] Searching from 0x7362f001 to 0x749dffff
[+] Searching from 0x74a06001 to 0x74a0ffff
[+] Searching from 0x74a8b001 to 0x74abffff
[+] Searching from 0x74af3001 to 0x74afffff
[+] Searching from 0x74c7f001 to 0x74e7ffff
[+] Searching from 0x74eeb001 to 0x74f8ffff
[+] Searching from 0x74f9a001 to 0x74f9ffff
[+] Searching from 0x74fc0001 to 0x74fbffff
[+] Searching from 0x75040001 to 0x7503ffff
[+] Searching from 0x751da001 to 0x751dffff
[+] Searching from 0x752c0001 to 0x7543ffff
[+] Searching from 0x7544f001 to 0x754dffff
[+] Searching from 0x754ee001 to 0x754effff
[+] Searching from 0x75579001 to 0x7557ffff
[+] Searching from 0x75718001 to 0x7571ffff
[+] Searching from 0x75799001 to 0x7579ffff
[+] Searching from 0x757b7001 to 0x757bffff
[+] Searching from 0x758fc001 to 0x758fffff
[+] Searching from 0x759c0001 to 0x759bffff
[+] Searching from 0x75a7f001 to 0x75a7ffff
[+] Searching from 0x75ecb001 to 0x75ecffff
[+] Searching from 0x760c9001 to 0x760cffff
[+] Searching from 0x7614e001 to 0x7614ffff
[+] Searching from 0x766a3001 to 0x766affff
[+] Searching from 0x766c2001 to 0x766cffff
[+] Searching from 0x766e9001 to 0x766effff
[+] Searching from 0x76cee001 to 0x76ceffff
[+] Searching from 0x76f67001 to 0x76f6ffff
[+] Searching from 0x76fb4001 to 0x76fcffff
[+] Searching from 0x770f2001 to 0x7715ffff
[+] Searching from 0x7719b001 to 0x771fffff
[+] Searching from 0x77262001 to 0x7744ffff
[+] Searching from 0x77473001 to 0x7747ffff
[+] Searching from 0x774a5001 to 0x774affff
[+] Searching from 0x774cc001 to 0x774cffff
[+] Searching from 0x77524001 to 0x7752ffff
[+] Searching from 0x775c6001 to 0x776bffff
[+] Searching from 0x77826001 to 0x7782ffff
[+] Searching from 0x7792a001 to 0x7793ffff
[+] Searching from 0x77adc001 to 0x7fffffff
Sat 2020/07/11 08:56:49 AM: Step 2/7: ebp
Sat 2020/07/11 08:56:50 AM: Step 3/7: ebx
Sat 2020/07/11 08:56:50 AM: Step 4/7: edx
Sat 2020/07/11 08:56:50 AM: Step 5/7: ecx
Sat 2020/07/11 08:56:50 AM: Step 6/7: edi
Sat 2020/07/11 08:56:50 AM: Step 7/7: eax
[+] ROP chains written to file c:\logs\ZahirApp6\rop_chains.txt
################################################################################
<...>
ROP generator finished
[+] Writing stackpivots to file c:\logs\ZahirApp6\stackpivot.txt
Wrote 2024 pivots to file
[+] Writing suggestions to file c:\logs\ZahirApp6\rop_suggestions.txt
Wrote 974 suggestions to file
[+] Writing results to file c:\logs\ZahirApp6\rop.txt (8449 interesting gadgets)
Wrote 8449 interesting gadgets to file
[+] Writing other gadgets to file c:\logs\ZahirApp6\rop.txt (25633 gadgets)
Wrote 25633 other gadgets to file
Done
[+] This mona.py action took 0:11:50.570000I will continue playing with the app, looking for a way to get the .bpl files to load and I'll try again. Keep you posted.
corelanc0d3r
commented
4 years ago by the way, with "writing a C++ application", I meant to create a small simple C++ application that does a loadlibrary on the bpl files (which, I presume, are simply .dll files ?)
Once you have those files in a running process, you can create a rop chain against them.
thanks!
modpr0be
commented
4 years ago by the way, with "writing a C++ application", I meant to create a small simple C++ application that does a loadlibrary on the bpl files (which, I presume, are simply .dll files ?)
Once you have those files in a running process, you can create a rop chain against them.
thanks!
Ah I understand now. Well, that's a good option! I'll try that. Thank a lot Peter! By the way if you decide to continue playing with the app, it's a classic overflow in the File -> Import from other file (once the app is opened).
corelanc0d3r
commented
4 years ago quick update: can you try this:
(still running on my system. with almost 115K+ gadgets, will take a while to complete. Might be better to restrict it to just a few modules instead of all bpl modules)
modpr0be
commented
4 years ago Hold on.. how did you manage to get the overflow triggered in windbg? I can't trigger it because it never catch. The way I catch it by dump using procdump and open it with windbg. Could you point me how to do your way?
I'll try it as soon as possible
corelanc0d3r
commented
4 years ago I don't see the overflow. I just trigger it, and I make sure the process runs the payload (breakpoint, or even a bindshell for that matter... doesn't matter, as long as it doesn't terminate). If you then attach windbg to the process, it will have the bpl modules loaded, allowing you to run mona rop.
modpr0be
commented
4 years ago I don't see the overflow. I just trigger it, and I make sure the process runs the payload (breakpoint, or even a bindshell for that matter... doesn't matter, as long as it doesn't terminate). If you then attach windbg to the process, it will have the bpl modules loaded, allowing you to run mona rop.
As far as I know, there are 2 processes created during the program load. I can't attach the child process because it always denied. The parent process doesn't has the .bpl modules loaded. Which process did you manage to attach and got all modules loaded?
corelanc0d3r
commented
4 years ago ah yes, sorry forgot to mention - you have to do a non-invasive attach to the child process
modpr0be
commented
4 years ago Ah yes I did that way but same error.. I'll try it again then
corelanc0d3r
commented
4 years ago I am also getting symbol errors, but it hasn't crashed (yet)
modpr0be
commented
4 years ago I am also getting symbol errors, but it hasn't crashed (yet)
In my case, it's about 10-12 hours before it crashed
corelanc0d3r
commented
4 years ago ok, I'll limit the number of modules, see if I can speed up triggering the crash... definitely funky stuff going on in that process
modpr0be
commented
4 years ago Tried that as well, I was using Jcl100.bpl as a targeted module since it has a pointer to VirtualProtect. I'm running against it again now.
corelanc0d3r
commented
4 years ago I have added some errorhandling inside the getIAT function, can you check if it runs more stable now ?
modpr0be
commented
4 years ago Okay I'll try it now.. need a couple hours to finish. Will update you soon.
modpr0be
commented
4 years ago mona rop still running using Jcl100.bpl as the targeted module, don't know how long it will finish. Will update here if mona rop succeed.
corelanc0d3r
commented
4 years ago cool, thanks. I'm trying to make some performance tweaks in the meantime, which should reduce total runtime in the event that you've selected a module yourself, but the pointer to the API was not found in the IAT. (version 611 and up)
modpr0be
commented
4 years ago Hi Peter, it still failed.. here is the log:
************* Symbol Loading Error Summary **************
Module name Error
rtl100 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
************* Symbol Loading Error Summary **************
Module name Error
rtl100 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
************* Symbol Loading Error Summary **************
Module name Error
rtl100 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
************* Symbol Loading Error Summary **************
Module name Error
rtl100 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module vcl100.bpl
** Error trying to process module vcl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module dbrtl100.bpl
** Error trying to process module dbrtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module 7z.dll
** Error trying to process module 7z.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IndyProtocols100.bpl
** Error trying to process module IndyProtocols100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IBO40VRT_D2006.bpl
** Error trying to process module IBO40VRT_D2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module TMSD2006.bpl
** Error trying to process module TMSD2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module TeePro710.bpl
** Error trying to process module TeePro710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module icudt.dll
** Error trying to process module icudt.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module frxTee10.bpl
** Error trying to process module frxTee10.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module d3dcompiler_43.dll
** Error trying to process module d3dcompiler_43.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module libcef.dll
** Error trying to process module libcef.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module gaSQLParser.bpl
** Error trying to process module gaSQLParser.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module libglesv2.dll
** Error trying to process module libglesv2.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module Encyption.bpl
** Error trying to process module Encyption.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module fbclient.dll
** Error trying to process module fbclient.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module fsIBX10.bpl
** Error trying to process module fsIBX10.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module tiptsf.dll
** Error trying to process module tiptsf.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module bsreader.dll
** Error trying to process module bsreader.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module COA.bpl
** Error trying to process module COA.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IBO40FRT_D2006.bpl
** Error trying to process module IBO40FRT_D2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IBO40CRT_D2006.bpl
** Error trying to process module IBO40CRT_D2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module frx10.bpl
** Error trying to process module frx10.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IBO40XRT_D2006.bpl
** Error trying to process module IBO40XRT_D2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module d3dx9_43.dll
** Error trying to process module d3dx9_43.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module frxDB10.bpl
** Error trying to process module frxDB10.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module Ml42ND50_2006.bpl
** Error trying to process module Ml42ND50_2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module FileSyncShell.dll
** Error trying to process module FileSyncShell.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module libegl.dll
** Error trying to process module libegl.dll
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IndySystem100.bpl
** Error trying to process module IndySystem100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module skinpackD2006.bpl
** Error trying to process module skinpackD2006.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
** Error trying to process module IboAdminD10.bpl
** Error trying to process module IboAdminD10.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2917, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2956, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
BaseException: File: .\dia\symexport.cpp Line: 103 TODO
Invalid instruction - could not assemble jmp [eax]
********************************************************************************
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19102, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12055, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6563, in findROPGADGETS
vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8817, in createRopChains
thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9581, in getPickupGadget
if len(allpointers) > 0:
TypeError: object of type 'NoneType' has no len()
********************************************************************************
After the error, Windbg complaint that pykd was broken. This was using version 606.
0:000> !py mona version
Oops - It seems that PyKD was unable problem to get the PEB object.
This usually means that
1. msdiaxxx.dll has not been registered correctly and/or
2. symbols are missing for ntdll.dll
Possible solutions:
-------------------
1. Re-register the VC runtime library:
* For PyKd v0.2.0.29:
(Re)Install the x86 VC++ Redistributable Package for Visual Studio 2008
(https://www.microsoft.com/en-us/download/details.aspx?id=29)
Next, run the following command from an administrator prompt:
(x86) regsvr32.exe "%ProgramFiles%\Common Files\microsoft shared\VC\msdia90.dll"
(x64) regsvr32.exe "%ProgramFiles(x86)%\Common Files\microsoft shared\VC\msdia90.dll"
2. Force download of the Symbols for ntdll.dll
* Connect to the internet, and verify that the symbol path is configured correctly
Assuming that the local symbol path is set to c:\symbols,
run the following command from within the windbg application folder
symchk /r c:\windows\system32\ntdll.dll /s SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Restart windbg and try againI'm trying the latest version now.
corelanc0d3r
commented
4 years ago hmmm ok, I'll do more debugging, thanks for the update
modpr0be
commented
4 years ago No worries.. I'll keep updating for you. Let's hope the last version works now
corelanc0d3r
commented
4 years ago I know it doesn't really solve the problem yet, but in the latest version you can now specify what rop technique must be produced with -s
for instance:
!py mona rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect
(that way, it won't even attempt to create the one for virtualalloc, and thus it will finish faster (and probably won't run into issues when it's not able to find stuff)
modpr0be
commented
4 years ago I know it doesn't really solve the problem yet, but in the latest version you can now specify what rop technique must be produced with -s for instance:
!py mona rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect(that way, it won't even attempt to create the one for virtualalloc, and thus it will finish faster (and probably won't run into issues when it's not able to find stuff)
Okay thanks Peter, I'm trying now.
modpr0be
commented
4 years ago It works and very fast too!! Thanks a lot Peter!
0:000> .load pykd.pyd;!py mona up
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py up
[+] Version compare :
Current Version : '2.0', Current Revision : 611
Latest Version : '2.0', Latest Revision : 612
[+] New version available
Updating to '2.0' r612
Done
[+] Current version : '2.0' r612
[+] Locating windbglib path
[+] Checking if C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py needs an update...
[+] Version compare :
Current Version : '1.0', Current Revision : 145
Latest Version : '1.0', Latest Revision : 145
[+] You are running the latest version
[+] This mona.py action took 0:00:47.881000
0:000> !py mona rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect
---------- Mona command started on 2020-07-13 03:44:46 (v2.0, rev 612) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Only querying modules Jcl100.bpl
- Bad char filter will be applied to pointers : '\x00\x0a\x0d\x22\x2c'
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_ZahirApp6.exe_5976.log'
- (Re)setting logfile C:\monalogs\ZahirApp6\_rop_progress_ZahirApp6.exe_5976.log
[+] Progress will be written to _rop_progress_ZahirApp6.exe_5976.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Only creating rop chain for 'virtualprotect'
[+] Enumerating 22 endings in 1 module(s)...
- Querying module Jcl100.bpl
- Search complete :
Ending : RETN 0x0C, Nr found : 159
Ending : RETN 0x1C, Nr found : 4
Ending : RETN 0x0A, Nr found : 1
Ending : RETN, Nr found : 15484
Ending : RETN 0x20, Nr found : 2
Ending : RETN 0x18, Nr found : 37
Ending : RETN 0x08, Nr found : 371
Ending : RETN 0x24, Nr found : 2
Ending : RETN 0x02, Nr found : 2
Ending : RETN 0x10, Nr found : 42
Ending : RETN 0x00, Nr found : 17
Ending : RETN 0x14, Nr found : 15
Ending : RETN 0x04, Nr found : 404
- Filtering and mutating 16540 gadgets
- Progress update : 1000 / 16540 items processed (Mon 2020/07/13 03:46:12 AM) - (6%)
- Progress update : 2000 / 16540 items processed (Mon 2020/07/13 03:46:50 AM) - (12%)
- Progress update : 3000 / 16540 items processed (Mon 2020/07/13 03:47:11 AM) - (18%)
- Progress update : 4000 / 16540 items processed (Mon 2020/07/13 03:47:25 AM) - (24%)
- Progress update : 5000 / 16540 items processed (Mon 2020/07/13 03:48:16 AM) - (30%)
- Progress update : 6000 / 16540 items processed (Mon 2020/07/13 03:48:58 AM) - (36%)
- Progress update : 7000 / 16540 items processed (Mon 2020/07/13 03:49:15 AM) - (42%)
- Progress update : 8000 / 16540 items processed (Mon 2020/07/13 03:49:40 AM) - (48%)
- Progress update : 9000 / 16540 items processed (Mon 2020/07/13 03:49:59 AM) - (54%)
- Progress update : 10000 / 16540 items processed (Mon 2020/07/13 03:50:15 AM) - (60%)
- Progress update : 11000 / 16540 items processed (Mon 2020/07/13 03:50:35 AM) - (66%)
- Progress update : 12000 / 16540 items processed (Mon 2020/07/13 03:50:47 AM) - (72%)
- Progress update : 13000 / 16540 items processed (Mon 2020/07/13 03:50:58 AM) - (78%)
- Progress update : 14000 / 16540 items processed (Mon 2020/07/13 03:51:10 AM) - (84%)
- Progress update : 15000 / 16540 items processed (Mon 2020/07/13 03:51:26 AM) - (90%)
- Progress update : 16000 / 16540 items processed (Mon 2020/07/13 03:51:41 AM) - (96%)
- Progress update : 16540 / 16540 items processed (Mon 2020/07/13 03:51:46 AM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
VirtualProtect
VirtualAlloc
[+] Attempting to produce rop chain for VirtualProtect
Mon 2020/07/13 03:52:03 AM: Step 1/7: esi
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
Getting IAT for Jcl100.bpl.
Enumerating IAT
************* Symbol Loading Error Summary **************
Module name Error
rtl100 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
[+] Searching from 0x48000000 to 0x48324000
Mon 2020/07/13 03:55:07 AM: Step 2/7: ebp
Mon 2020/07/13 03:55:08 AM: Step 3/7: ebx
Mon 2020/07/13 03:55:08 AM: Step 4/7: edx
Mon 2020/07/13 03:55:08 AM: Step 5/7: ecx
Mon 2020/07/13 03:55:08 AM: Step 6/7: edi
Mon 2020/07/13 03:55:08 AM: Step 7/7: eax
[+] Preparing output file 'Jcl100.bpl_virtualprotect.xml'
- (Re)setting logfile C:\monalogs\ZahirApp6\Jcl100.bpl_virtualprotect.xml
[+] Preparing output file 'rop_chains.txt'
- (Re)setting logfile C:\monalogs\ZahirApp6\rop_chains.txt
[+] ROP chains written to file C:\monalogs\ZahirApp6\rop_chains.txt
[+] This mona.py action took 0:11:44.871000
When opening a new issue, please fill out the following sections:
Expected behavior
mona.py completes the ropchain/rop chain creation function.
Actual behavior
Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here https://github.com/corelan/mona/issues/44 but I got more errors.
Steps to reproduce the problem
Other useful information (mona version, debugger & debugger version, OS version, etc)
Last logs related to errors
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT thisfuncfullname = thisfunc.getName().lower() File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName syms = thismod.getSymbols() File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols ntHeader = getNtHeaders(self.modbase) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c)) TypeException: _IMAGE_NT_HEADERS : symbol name is not found
Error trying to process module TeeUI710.bpl Error trying to process module TeeUI710.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module JvDlgs100.bpl Error trying to process module JvDlgs100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module vclactnband100.bpl Error trying to process module vclactnband100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module JvStdCtrls100.bpl Error trying to process module JvStdCtrls100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module rtl100.bpl Error trying to process module rtl100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module VclSmp100.bpl Error trying to process module VclSmp100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module TeeDB710.bpl Error trying to process module TeeDB710.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module xmlrtl100.bpl Error trying to process module xmlrtl100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
Error trying to process module JclVcl100.bpl Error trying to process module JclVcl100.bpl Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT syms = themod.getSymbols() AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module Windows.StateRepositoryPS.dll
Traceback (most recent call last): File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main commands[command].parseProc(opts) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern outside = getRangesOutsideModules() File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules populateModuleInfo() File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo thismod = MnModule(key) File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in init mzbase = mod.getBaseAddress() AttributeError: 'NoneType' object has no attribute 'getBaseAddress'