When trying to use mona's find feature I get the following error:
mona.mona("find -s '\xff\xe4' -m binary.exe")
=>
<b> File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 18391, in main</b>
<b> commands[command].parseProc(opts)</b>
<b> File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 11814, in procFind</b>
<b> thislog = logfile.reset()</b>
<b> File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 2454, in reset</b>
<b> debuggedname = dbg.getDebuggedName()</b>
<b> File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\x64dbgpylib.py", line 900, in getDebuggedName</b>
<b> print offset</b>
<b> File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\pykd.py", line 262, in loadUnicodeString</b>
<b> raise DbgException("Corrupted UNICODE_STRING structure")</b>
<b>DbgException: Corrupted UNICODE_STRING structure</b>
The exception happens because of an error on parsing the PEB in x64dbgpylib.
In getDebuggedName, x64dbgpylib uses getPEBInfo().ProcessParameters from pykd, which returns an object of type typePtr
(a pointer to a struct RTL_USER_PROCESS_PARAMETERS). It then needs to dereference the pointer and get the ImagePathName
member.
So the code uses the __add__
operation of typePtr, which resolves to __add__
of typeBase, which uses the address of the typePtr itsel, instead of using the address of the struct that it points to. So, python code ProcessParameters + offset
results in PEB->process_parameters + offset
, but we need *(PEB->process_parameters) + offset
.
Demonstration (x32 app):
- Get the peb addr:
- Get the result of the
__add__
(as you can see this is peb + 0x48, which is not what we want)
Command: print hex(x64dbgpylib.getPEBInfo().ProcessParameters + 0x38)
0x2fb048
In order to have the correct pointer we have to cast ProcessParameters to int, because it will cause the __int__
method of class typePrimitive to be used (which dereferences the pointer). Verification:
Command: print hex(x64dbgpylib.getPEBInfo().ProcessParameters) + 0x38)
0x5818e8
So, the line
sImageFile = pykd.loadUnicodeString(ProcessParameters + offset).encode("utf8")
shold be changed as follows:
sImageFile = pykd.loadUnicodeString(int(ProcessParameters) + offset).encode("utf8")
After this fix mona's find command starts to work for me.
|
sImageFile = pykd.loadUnicodeString(ProcessParameters + offset).encode("utf8") |