-
Notifications
You must be signed in to change notification settings - Fork 45
/
mona-cheat-sheet
87 lines (67 loc) · 2.76 KB
/
mona-cheat-sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
Looking to jump between bytes?
What address are you located?
What address do you want to jump to?
Add or subtract those two together. (Difference example: 0xFFFFF69)
Use mona to search for this!
- Get the equivalent opcode of the instruction JMP 0xFFFFFF69
!mona assemble -s "JMP 0xFFFFFF69"
-------------------------------------------------------------------------------
Find offset locations:
!mona findmsp
------------------------------------------------------------------------------
MONA FOR SUB/AND ENCODING:
!mona encode -t alphanum -s '\x90\x90\xFF\xE2'
------------------------------------------------------------------------------
Use mona to find bad characters:
!mona config -set workingfolder c:\logs\%p
!mona bytearray
!mona bytearray –cpb "\x00"
!mona compare -f C:\logs\<FILL>\bytearray.bin -a <ADDRESS WHERE YOUR BAD CHARACTERS START>
-------------------------------------------------------------------------------
The -o flag will tell Mona to ignore OS modules.
!mona seh -o
-------------------------------------------------------------------------------
Find instruction in specific DLL:
!mona find -s " " -m example.dll
------------
Using ASCII:
!mona jmp -r esp -cp ascii
------------------------------------------------------------------------------
32-bit egghunter generate:
!mona egg -t w00t -cpb “\x00”
------------------------------------------------------------------------------
POP POP RET:
!mona seh
!mona seh -cp ascii
-----------------------------------------------------------------------------
ASLR:
!mona noaslr
------------------------------------------------------------------------------
!mona seh -cp unicode
------------------------------------------------------------------------------
Tge way around SafeSEH!
!mona jseh
look for similar instructions outside the loaded modules. This is a good approach to bypass the SafeSEH memory protection.
------------------------------------------------------------------------------
Iwantmorepizza list:
!mona findmsf:
search various places for the Metasploit pattern, returning the resulting offset for all the matches
!mona seh:
search the memory for all the gadgets that we can use as Structured Exception Handler a
nd automatically categorize them in the following groups depending on their properties:
unicode (this will include unicode transforms as well)
ascii
asciiprint
upper
lower
uppernum
lowernum
numeric
alphanum
nonull
startswithnull
!mona egg -t w00t: generate the traditional 32 bits egghunter
!mona jmp -r <REG>: find all the gadget to perform a jmp into the specified register
!mona cmp -a <ADDR> -f <FILE>: it compares a chunk of memory with a specified file on disk in order to detected
potential truncations or bad characters and displays a nice matrix to present the results.
--------------