search

corelan / mona

Corelan Repository for mona.py
BSD 3-Clause "New" or "Revised" License
1.71k stars 564 forks source link

mona rop Error #61

Closed secxue closed 2 years ago

secxue commented 2 years ago

When opening a new issue, please fill out the following sections:

Expected behavior

get rop chain

Actual behavior

[+] Enumerating 22 endings in 1 module(s)...

Steps to reproduce the problem

2:033> !py mona rop -m mshtml.dll Hold on... [+] Command used: !py mona.py rop -m mshtml.dll

---------- Mona command started on 2022-10-27 22:17:13 (v2.0, rev 618) ---------- [+] Processing arguments and criteria

Other useful information (mona version, debugger & debugger version, OS version, etc)

windbg6.12 windows7 Pro mshtml ver: File version: 8.0.7600.16385

dms1lva commented 2 years ago

I can't reproduce @secxue. Can you post the output of the command !address?

secxue commented 2 years ago

You can't comment at this time — your comment is too long (maximum is 65536 characters).

So I can only send some

2:037> g
(e7c.408): Unknown exception - code 80010108 (first chance)
(a44.e6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000009 ebx=00001004 ecx=00010049 edx=00000010 esi=0c832ffc edi=0c833014
eip=678bf167 esp=0475d8b0 ebp=0475d8bc iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CTableColCalc::AdjustForCol+0x15:
678bf167 890f            mov     dword ptr [edi],ecx  ds:0023:0c833014=????????
2:037> !py mona rop -m mshtml.dll
Hold on...
[+] Command used:
!py mona.py rop -m mshtml.dll

---------- Mona command started on 2022-10-28 19:41:10 (v2.0, rev 618) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
    - Only querying modules mshtml.dll
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_iexplore.exe_2628.log'
    - (Re)setting logfile _rop_progress_iexplore.exe_2628.log
[+] Progress will be written to _rop_progress_iexplore.exe_2628.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Going to create rop chains for all relevant/supported techniques: 
[+] Enumerating 22 endings in 1 module(s)...
    - Querying module mshtml.dll
********************************************************************************
Traceback (most recent call last):
  File "mona.py", line 19195, in main
    commands[command].parseProc(opts)
  File "mona.py", line 12147, in procROP
    findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
  File "mona.py", line 6380, in findROPGADGETS
    found_opcodes = searchInModule(search,thismodule,criteria)
  File "mona.py", line 5334, in searchInModule
    return searchInRange(sequences, start, end, criteria)
  File "mona.py", line 5214, in searchInRange
    dbg.getMemoryPages()
  File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
    size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'

********************************************************************************
2:037> !address

  BaseAddr EndAddr+1 RgnSize     Type       State                 Protect             Usage
-------------------------------------------------------------------------------------------
*        0    10000    10000             MEM_FREE    PAGE_NOACCESS                      Free 
*    10000    20000    10000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     MemoryMappedFile "PageFile"
*    20000    26000     6000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MemoryMappedFile "PageFile"
*    26000    30000     a000             MEM_FREE    PAGE_NOACCESS                      Free 
*    30000    34000     4000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MemoryMappedFile "PageFile"
*    34000    40000     c000             MEM_FREE    PAGE_NOACCESS                      Free 
*    40000    41000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*    41000    50000     f000             MEM_FREE    PAGE_NOACCESS                      Free 
*    50000    51000     1000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     MemoryMappedFile "PageFile"
*    51000    60000     f000             MEM_FREE    PAGE_NOACCESS                      Free 
*    60000    61000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*    61000    70000     f000             MEM_FREE    PAGE_NOACCESS                      Free 
*    70000    71000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-   71000    b0000    3f000 MEM_PRIVATE MEM_RESERVE                                    <unclassified> 
*    b0000   117000    67000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MemoryMappedFile "\Device\HarddiskVolume1\Windows\System32\locale.nls"
*   117000   120000     9000             MEM_FREE    PAGE_NOACCESS                      Free 
*   120000   121000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*   121000   130000     f000             MEM_FREE    PAGE_NOACCESS                      Free 
*   130000   131000     1000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MemoryMappedFile "\Device\HarddiskVolume1\Windows\System32\oleaccrc.dll"
*   131000   140000     f000             MEM_FREE    PAGE_NOACCESS                      Free 
*   140000   230000    f0000 MEM_PRIVATE MEM_RESERVE                                    Stack [e1c.5dc; ~23]
|-  230000   232000     2000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack [e1c.5dc; ~23]
|-  232000   240000     e000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack [e1c.5dc; ~23]
*   240000   241000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  241000   246000     5000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  246000   247000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  247000   248000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  248000   249000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  249000   24a000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24a000   24b000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24b000   24c000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24c000   24d000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24d000   24e000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24e000   24f000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  24f000   250000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  250000   251000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  251000   252000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  252000   253000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  253000   254000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  254000   255000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  255000   256000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  256000   257000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  257000   258000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  258000   259000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  259000   25a000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25a000   25b000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25b000   25c000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25c000   25d000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25d000   25e000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25e000   25f000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  25f000   260000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  260000   261000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  261000   262000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  262000   263000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  263000   264000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  264000   265000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
|-  265000   266000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap [PageHeap: 240000; NormalHeap: 14b0000]
dms1lva commented 2 years ago

Thanks! I see the problem. The code is expecting a different format for the command. Should have a fix soon

secxue commented 2 years ago

Sorry, I downloaded the latest mona.py. It already has some problems

0:013> lm m mshtml
start    end        module name
68ce0000 69292000   mshtml     (deferred)             
0:013> .load pykd.pyd
0:013> !py mona rop -m mshtml.dll
Hold on...
[+] Command used:
!py mona.py rop -m mshtml.dll

---------- Mona command started on 2022-10-29 11:20:26 (v2.0, rev 627) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
    - Only querying modules mshtml.dll
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_iexplore.exe_3172.log'
    - (Re)setting logfile _rop_progress_iexplore.exe_3172.log
[+] Progress will be written to _rop_progress_iexplore.exe_3172.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Going to create rop chains for all relevant/supported techniques: 
[+] Enumerating 22 endings in 1 module(s)...
    - Querying module mshtml.dll
********************************************************************************
Traceback (most recent call last):
  File "mona.py", line 19215, in main
    commands[command].parseProc(opts)
  File "mona.py", line 12167, in procROP
    findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique)
  File "mona.py", line 6381, in findROPGADGETS
    found_opcodes = searchInModule(search,thismodule,criteria)
  File "mona.py", line 5340, in searchInModule
    return searchInRange(sequences, start, end, criteria)
  File "mona.py", line 5220, in searchInRange
    dbg.getMemoryPages()
  File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages
    size = int(info[3].replace('`', ''), base=16)
ValueError: invalid literal for int() with base 16: 'MEM_IMAGE'

********************************************************************************
corelanc0d3r commented 2 years ago

you may have to upgrade windbglib as well - please run !mona up and try again

secxue commented 2 years ago

Thank you for your reply, I ran it successfully, thank you for your improvement