mona: Mona failed to produce ropchain, got exception errors regarding IAT
When opening a new issue, please fill out the following sections:
Expected behavior
mona.py completes the ropchain/rop chain creation function.
Actual behavior
Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here https://github.com/corelan/mona/issues/44 but I got more errors.
Steps to reproduce the problem
- I’m following default installation of Mona in Windbg as mentioned here https://github.com/corelan/windbglib
- I’m trying to create a rop version of this exploit (https://www.exploit-db.com/exploits/45505) but when I do the problem persist across Windows installation.
- If you have time to try:
- Zahir download: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
- Update to latest version: https://zahir.info/download/UpdateZahir6/Zahir_CS_6_Build13.zip
Other useful information (mona version, debugger & debugger version, OS version, etc)
- Mona version is latest
- Debugger is windbg x86
- Windbg version is 10.0.19041.1 x86
- OS is WinDev2005 (enterprise evaluation https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/)
Last logs related to errors
************* Symbol Loading Error Summary **************
Module name Error
Tee710 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT
thisfuncfullname = thisfunc.getName().lower()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
syms = thismod.getSymbols()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
ntHeader = getNtHeaders(self.modbase)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found
** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'
** Error trying to process module Windows.StateRepositoryPS.dll
********************************************************************************
Traceback (most recent call last):
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main
commands[command].parseProc(opts)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS
vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains
thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget
allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern
outside = getRangesOutsideModules()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules
populateModuleInfo()
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo
thismod = MnModule(key)
File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in __init__
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'
********************************************************************************
Thank you for your help Peter.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 30 (14 by maintainers)
It works and very fast too!! Thanks a lot Peter!
quick update: can you try this:
(still running on my system. with almost 115K+ gadgets, will take a while to complete. Might be better to restrict it to just a few modules instead of all bpl modules)