When it comes to exploit development for Microsoft Windows, Mona.py is the go to library for most security researchers. In this post I list six commands that I use often. Watch the video for demonstration.

What is Mona.py?

• A pycommand for Immunity Debugger, designed and developed to aid the exploit development process

• Automates various tasks such as address search, pattern generation and comparison, egg hunter generation etc.

• Replaces pvefindaddr

• Developed by Corelanc0d3r (Peter Van Eeckhoutte)

• Official link: http://bit.ly/mona-py

Command 1: Set workingfolder

• Sets the working directory for mona to store command output and related files:

  • !mona config -set workingfolder c:\logs\%p

• This will tell mona to write the output to subfolders of c:\logs. The %p variable will be replaced with the process name currently being debugged.

• If you want to further group output, you can even use the %i variable in the workingfolder parameter. This variable will get replaced with the process ID of the application being debugged.

Command 2: bytearray

• Generates an array of hex bytes from \x00 to \xff (except for the excluded ones):

  • !mona bytearray

• Produces two files: text and binary

• Takes two flags:

  • -b – to exclude bytes from array

  • -r – to output array in the reverse order (\xff..\x00)

• Use compare command to automate the comparison process:

  • !mona compare –f <filename> -a <address>

Command 3: pc, po & findmsp

• Generates a cyclic pattern (Metasploit pattern) of a given size and length:

  • !mona pc <length>

• Locates given four bytes in a cyclic pattern and returns the offset:

  • !mona po <bytes>

• Find instances of the cyclic pattern:

  • !mona findmsp

• Optional argument:

  • -distance Sets the distance from ESP to begin search from

Command 4: egg

• Creates an egghunter routine with a default tag (w00t):

  • !mona egg

• Optional arguments:

  • -t : tag (ex: w00t). Default value is w00t

  • -c : enable checksum routine. Only works in conjunction with parameter -f

  • -f : file containing the shellcode

  • -depmethod : method can be “virtualprotect”, “copy” or “copy_size”

  • -depreg : sets the register that contains a pointer to the API function to bypass DEP. By default this register is set to ESI

  • -depsize : sets the size for the dep bypass routine

  • -depdest : this register points to the location of the egghunter itself.

Command 5: jmp

• Searches for pointers that will lead to execution of the code located at the address pointed by a given register:

  • !mona jmp –r <register>

• Default module criteria : skip aslr and rebase modules. The search will include OS modules by default, but this can be overruled by using the -cm os=false global option.

Command 6: seh

• Searches for pointers to routines that will lead to code execution in a SEH overwrite exploit:

  • !mona seh

• By default, it will attempt to bypass SafeSEH by excluding pointers from rebase, aslr and safeseh protected modules.

• The optional -all parameter, if specified, will also search for pointers in memory locations outside of loaded modules.

Watch the video

Learn the art of exploit development

If you want to learn the art of exploit development check out our Hands-on courses:

• Hands-on Exploit Development

• Hands-on Exploit Development (Advanced)

• Immunity Debugger for Exploit Devs - YCSC Lab Essentials