When to reach for this
Working an exploit in WinDbg with mona loaded. These are the commands you re-run constantly. Re-typing them costs time you don’t have on the OSED clock.
Setup
.load pykd.pyd ; or use pykd's setup
!py mona ; load mona
!mona config -set workingfolder C:\mona\%pRecon
!mona modulesLists every loaded module with ASLR / NX / SafeSEH / Rebase status. The first thing you do on attach.
Bad chars
!mona bytearray -b "\x00"
!mona compare -f bytearray.bin -a 0x12345678Generate the byte-array file (excluding listed bad chars), then after triggering the crash compare what landed at the address against what was sent.
Pattern offset
!mona pattern_create 2000
!mona pattern_offset 0x37624136Finding gadgets
!mona seh -m examplelib.dll ; pop pop ret gadgets in a specific module
!mona seh -cm safeseh=off ; only modules without SafeSEH
!mona jmp -r esp -cpb "\x00\x0a" ; jmp esp / call esp gadgets, exclude bad chars
!mona find -s "\xff\xe4" -m *.dll ; raw byte search across modulesROP chains
!mona rop -m examplelib.dll -cpb "\x00\x0a"Generates rop_chains.txt with VirtualProtect / VirtualAlloc / WriteProcessMemory chains for the modules you specify. Always start here for DEP bypass — manual ROP is for when mona’s chain is missing a piece.
Stack pivot
!mona stackpivot -cpb "\x00\x0a\x0d"When ESP doesn’t land where you control, find pivots that get it there.
Source / origin
mona.py is by Corelan. Full docs: https://github.com/corelan/mona/wiki.