Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Mona failed to produce ropchain, got exception errors regarding IAT

See original GitHub issue

When opening a new issue, please fill out the following sections:

Expected behavior

mona.py completes the ropchain/rop chain creation function.

Actual behavior

Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here https://github.com/corelan/mona/issues/44 but I got more errors.

Steps to reproduce the problem

I’m following default installation of Mona in Windbg as mentioned here https://github.com/corelan/windbglib
I’m trying to create a rop version of this exploit (https://www.exploit-db.com/exploits/45505) but when I do the problem persist across Windows installation.
If you have time to try:
- Zahir download: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
- Update to latest version: https://zahir.info/download/UpdateZahir6/Zahir_CS_6_Build13.zip

Other useful information (mona version, debugger & debugger version, OS version, etc)

Mona version is latest
Debugger is windbg x86
Windbg version is 10.0.19041.1 x86
OS is WinDev2005 (enterprise evaluation https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/)

Last logs related to errors

************* Symbol Loading Error Summary **************
Module name            Error
Tee710                 The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT
    thisfuncfullname = thisfunc.getName().lower()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
    syms = thismod.getSymbols()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
    ntHeader = getNtHeaders(self.modbase)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
    return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found

** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module Windows.StateRepositoryPS.dll
********************************************************************************
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main
    commands[command].parseProc(opts)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP
    findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS
    vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains
    thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget
    allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern
    outside = getRangesOutsideModules()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules
    populateModuleInfo()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo
    thismod = MnModule(key)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in __init__
    mzbase    = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

********************************************************************************

Thank you for your help Peter.

Issue Analytics

State:
Created 3 years ago
Comments:30 (14 by maintainers)

Top GitHub Comments

1reaction

modpr0becommented, Jul 13, 2020

It works and very fast too!! Thanks a lot Peter!

0:000> .load pykd.pyd;!py mona up
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py up
[+] Version compare :
    Current Version : '2.0', Current Revision : 611
    Latest Version : '2.0', Latest Revision : 612
[+] New version available
    Updating to '2.0' r612
    Done
[+] Current version : '2.0' r612
[+] Locating windbglib path
[+] Checking if C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py needs an update...
[+] Version compare :
    Current Version : '1.0', Current Revision : 145
    Latest Version : '1.0', Latest Revision : 145
[+] You are running the latest version

[+] This mona.py action took 0:00:47.881000
0:000> !py mona rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect

---------- Mona command started on 2020-07-13 03:44:46 (v2.0, rev 612) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
    - Only querying modules Jcl100.bpl
    - Bad char filter will be applied to pointers : '\x00\x0a\x0d\x22\x2c' 
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_ZahirApp6.exe_5976.log'
    - (Re)setting logfile C:\monalogs\ZahirApp6\_rop_progress_ZahirApp6.exe_5976.log
[+] Progress will be written to _rop_progress_ZahirApp6.exe_5976.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Only creating rop chain for 'virtualprotect'
[+] Enumerating 22 endings in 1 module(s)...
    - Querying module Jcl100.bpl
    - Search complete :
       Ending : RETN 0x0C, Nr found : 159
       Ending : RETN 0x1C, Nr found : 4
       Ending : RETN 0x0A, Nr found : 1
       Ending : RETN, Nr found : 15484
       Ending : RETN 0x20, Nr found : 2
       Ending : RETN 0x18, Nr found : 37
       Ending : RETN 0x08, Nr found : 371
       Ending : RETN 0x24, Nr found : 2
       Ending : RETN 0x02, Nr found : 2
       Ending : RETN 0x10, Nr found : 42
       Ending : RETN 0x00, Nr found : 17
       Ending : RETN 0x14, Nr found : 15
       Ending : RETN 0x04, Nr found : 404
    - Filtering and mutating 16540 gadgets
      - Progress update : 1000 / 16540 items processed (Mon 2020/07/13 03:46:12 AM) - (6%)
      - Progress update : 2000 / 16540 items processed (Mon 2020/07/13 03:46:50 AM) - (12%)
      - Progress update : 3000 / 16540 items processed (Mon 2020/07/13 03:47:11 AM) - (18%)
      - Progress update : 4000 / 16540 items processed (Mon 2020/07/13 03:47:25 AM) - (24%)
      - Progress update : 5000 / 16540 items processed (Mon 2020/07/13 03:48:16 AM) - (30%)
      - Progress update : 6000 / 16540 items processed (Mon 2020/07/13 03:48:58 AM) - (36%)
      - Progress update : 7000 / 16540 items processed (Mon 2020/07/13 03:49:15 AM) - (42%)
      - Progress update : 8000 / 16540 items processed (Mon 2020/07/13 03:49:40 AM) - (48%)
      - Progress update : 9000 / 16540 items processed (Mon 2020/07/13 03:49:59 AM) - (54%)
      - Progress update : 10000 / 16540 items processed (Mon 2020/07/13 03:50:15 AM) - (60%)
      - Progress update : 11000 / 16540 items processed (Mon 2020/07/13 03:50:35 AM) - (66%)
      - Progress update : 12000 / 16540 items processed (Mon 2020/07/13 03:50:47 AM) - (72%)
      - Progress update : 13000 / 16540 items processed (Mon 2020/07/13 03:50:58 AM) - (78%)
      - Progress update : 14000 / 16540 items processed (Mon 2020/07/13 03:51:10 AM) - (84%)
      - Progress update : 15000 / 16540 items processed (Mon 2020/07/13 03:51:26 AM) - (90%)
      - Progress update : 16000 / 16540 items processed (Mon 2020/07/13 03:51:41 AM) - (96%)
      - Progress update : 16540 / 16540 items processed (Mon 2020/07/13 03:51:46 AM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
VirtualProtect
VirtualAlloc
[+] Attempting to produce rop chain for VirtualProtect
    Mon 2020/07/13 03:52:03 AM: Step 1/7: esi
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
    Getting IAT for Jcl100.bpl.
    Enumerating IAT

************* Symbol Loading Error Summary **************
Module name            Error
rtl100                 The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
[+] Searching from 0x48000000 to 0x48324000
    Mon 2020/07/13 03:55:07 AM: Step 2/7: ebp
    Mon 2020/07/13 03:55:08 AM: Step 3/7: ebx
    Mon 2020/07/13 03:55:08 AM: Step 4/7: edx
    Mon 2020/07/13 03:55:08 AM: Step 5/7: ecx
    Mon 2020/07/13 03:55:08 AM: Step 6/7: edi
    Mon 2020/07/13 03:55:08 AM: Step 7/7: eax
[+] Preparing output file 'Jcl100.bpl_virtualprotect.xml'
    - (Re)setting logfile C:\monalogs\ZahirApp6\Jcl100.bpl_virtualprotect.xml
[+] Preparing output file 'rop_chains.txt'
    - (Re)setting logfile C:\monalogs\ZahirApp6\rop_chains.txt
[+] ROP chains written to file C:\monalogs\ZahirApp6\rop_chains.txt

[+] This mona.py action took 0:11:44.871000

1reaction

corelanc0d3rcommented, Jul 11, 2020

quick update: can you try this:

Create a version of the exploit that only contains breakpoints instead of bindshell
run the application, attach windbg to the first ZahirApp6.exe process
trigger the overflow, make it hit the breakpoints
break windbg, check if the bpl modules are loaded now
run `!py mona rop -cpb ‘\x00\x0a\x0d\x22\x2c’``

(still running on my system. with almost 115K+ gadgets, will take a while to complete. Might be better to restrict it to just a few modules instead of all bpl modules)

Top Results From Across the Web

VUPlayer 2.49 BufferOverflow Exploitation + ROP Chain + ...

In this writeup, we will develop an exploit for VUPlayer 2.49. And we will create ROP Chain with using Mona.py and Immunity Debugger....

Exploit writing tutorial part 10 : Chaining DEP with ROP

Today I will talk about ROP and how it can be used to bypass DEP (and ASLR). ... To make that call work,...

Tool Release: IDA Sploiter - Medium

IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool ......

Functional error handling with monads, monad transformers ...

But this convenience does not compensate for the risks and mental overhead exceptions produce. When overused, exceptions introduce complexity ...

bachelor thesis utilities for bypassing security

Scope of this work is to create exploits for publicly known vulnerabilities. ... In practice this means that at the beginning of the...