Overview

This is the Corelan Team project page for 'mona', a debugger plugin / Exploit Development Swiss Army Knife.
This plugin replaces pvefindaddr, which is no longer supported as of mid june 2011.

The plugin has been tested on

Immunity Debugger 1.83 and up. (Older versions of Immunity Debugger are not supported and may not work.)
WinDBG

Download¶

You can download the latest version here

Install¶

Immunity Debugger :
Simply drop mona.py in the PyCommands folder inside your Immunity Debugger program folder.

WinDBG
Check installations instructions here

Suggested Initial configuration¶

Mona has a configuration file which can be used to set 2 global options

workingfolder

If you don't want the pycommand to write its output into the Immunity Debugger or WinDBG program folder, you can set the workingfolder global option. Let's say we want to store output files in named subfolders of c:\logs :

create c:\logs
inside Immunity Debugger, run !mona config -set workingfolder c:\logs\%p
inside WinDBG, run !py mona config -set workingfolder c:\logs\%p

Note : %p will be replaced with the process name at runtime. This way, your output will be automatically categorized, making it easier to retrieve.

excluded_modules

If your exploit development machine has modules (shell extensions, etc) which you want to exclude from searches, you can simply add them to the configuration file :
Immunity
!mona config -set excluded_modules "module1.dll,module2.dll"
!mona config -add excluded_modules "module3.dll"

WinDBG :
!py mona config -set excluded_modules "module1.dll,module2.dll"
!py mona config -add excluded_modules "module3.dll"

(if you want to remove a module from the list, simply look for mona.ini in the Immunity Debugger program folder and edit the file)

Update¶

Once you have mona installed, you can update it using the following command
Immunity Debugger:

!mona update

WinDBG

!py mona update

This will attempt to update the pycommand over https. If this fails, you can still try to run

Immunity Debugger:

!mona update -http

WinDBG

!py mona update -http

Documentation¶

You can find installation and usage instructions here

Bugs / Feature requests¶

If you want to report bugs or request features, please

Register a useraccount on redmine (and send me an email indicating you want to report a bug or feature)
Create a new ticket

Want to contribute yourself ?¶

Create a ticket and submit patches (diff against last version of mona.py)

License¶

mona.py is released under the BSD-3 license:

Copyright (c) 2011-2012, Peter Van Eeckhoutte - Corelan GCV
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
    * Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
    * Neither the name of Corelan nor the
      names of its contributors may be used to endorse or promote products
      derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL PETER VAN EECKHOUTTE OR CORELAN GCV BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.