-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commands
Peter Van Eeckhoutte edited this page May 10, 2026
·
32 revisions
Reference for all mona commands, including debugger compatibility, architecture support, aliases, summaries, and argument details.
To get help for a specific command, either run that command with -h or use !mona help <command>.
| Command | Aliases | WinDBG | Immunity | x86 | x64 |
|---|---|---|---|---|---|
| ? | eval |
β | β | β | β |
| allocmem | alloc |
β | π« | β | β |
| assemble | asm |
β | β | β | β |
| bp | - | β | β | β | β |
| bpseh | sehbp |
β | β | β | π« |
| breakfunc | bf |
β | β | β | β |
| bytearray | ba |
β | β | β | β |
| changeacl | ca |
β | π« | β | β |
| cleanlog | clean |
β | β | β | β |
| compare | cmp |
β | β | β | β |
| config | conf |
β | β | β | β |
| copy | cp |
β | β | β | β |
| dump | dmp |
β | β | β | β |
| dumplog | dl |
β | π« | β | β |
| dumpobj | do |
β | π« | β | β |
| egghunter | egg |
β | β | β | π« |
| encode | enc |
β | β | β | π« |
| filecompare | fc |
β | β | β | β |
| fillchunk | fchunk |
β | β | β | β |
| find | f |
β | β | β | β |
| findmsp | findmsf |
β | β | β | β |
| findwild | fw |
β | β | β | β |
| fwptr | fwp |
β | β | β | π« |
| geteat | eat |
β | β | β | β |
| getiat | iat |
β | β | β | β |
| getpc | - | β | β | β | β |
| gflags | gf |
β | β | β | β |
| header | - | β | β | β | β |
| heap | hp |
β | β | β | β |
| help | h |
β | β | β | β |
| hidedebug | hd |
β | β | β | β |
| info | - | β | β | β | β |
| infodump | if |
β | β | β | β |
| jmp | j |
β | β | β | β |
| jop | - | β | β | β | β |
| jseh | - | β | β | β | π« |
| load | ld |
β | β | β | β |
| moduleinfo | modinfo |
β | β | β | β |
| modules | mod |
β | β | β | β |
| offset | os |
β | β | β | β |
| pageacl | pacl |
β | β | β | β |
| pattern_create | pc |
β | β | β | β |
| pattern_offset | po |
β | β | β | β |
| peb | - | β | β | β | β |
| proclayout | pl |
β | β | β | β |
| rop | - | β | β | β | β |
| ropfunc | rf |
β | β | β | β |
| seh | - | β | β | β | π« |
| sehchain | exchain |
β | β | β | π« |
| skeleton | skel |
β | β | β | β |
| stackpivot | sp |
β | β | β | β |
| stacks | - | β | β | β | β |
| string | str |
β | β | β | β |
| stringpos | strpos |
β | β | β | β |
| suggest | sg |
β | β | β | β |
| sym | - | β | π« | β | β |
| tellme | ai |
β | π« | β | β |
| teb | - | β | β | β | β |
| tobp | 2bp |
β | π« | β | β |
| unicodealign | ua |
β | β | β | π« |
| update | up |
β | β | β | β |
| write | w |
β | β | β | β |
This page is generated from the MnCommand registrations in mona.py and the corresponding *Usage variables inside populateCommands().
Compatibility is derived from the registration itself: commands inside the WinDBG-only block are marked unsupported in Immunity Debugger, and architecture support comes from each command's archs list.
Alias: eval
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Evaluates an expression
Arguments
- No documented command-specific arguments.
Usage:
Evaluates an expression
Arguments:
<the expression to evaluate>
Accepted syntax includes:
hex values, decimal values (prefixed with 0n), registers,
module names, 'heap' ( = address of default process heap),
module!functionname
simple math operations
Alias: alloc
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Allocate RWX memory in the debugged process.
Arguments
-
-s <size>: desired size of allocated chunk. VirtualAlloc will allocate at least 0x1000 bytes, but this size argument is only useful when used in combination with -fill. (optional). -
-a <address>: desired target location for allocation, set to start of chunk to allocate. (optional). -
-acl <level>: overrule default RWX memory protection. (optional). -
-fill: fill 'size' bytes (-s) of memory at specified address (-a) with A's. (optional). -
-force: use in combination with -fill, in case page was already mapped but you still want to fill the chunk at the desired location. (optional). -
-b <byte>: Specify what byte to write to the desired location. Defaults to '\x41' (optional).
Usage:
Allocate RWX memory in the debugged process.
Optional arguments:
-s <size> : desired size of allocated chunk. VirtualAlloc will allocate at least 0x1000 bytes,
but this size argument is only useful when used in combination with -fill.
-a <address> : desired target location for allocation, set to start of chunk to allocate.
-acl <level> : overrule default RWX memory protection.
-fill : fill 'size' bytes (-s) of memory at specified address (-a) with A's.
-force : use in combination with -fill, in case page was already mapped but you still want to
fill the chunk at the desired location.
-b <byte> : Specify what byte to write to the desired location. Defaults to '\\x41'
Alias: asm
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Convert instructions to opcode. Separate multiple instructions with #.
Arguments
- No documented command-specific arguments.
Usage:
Convert instructions to opcode. Separate multiple instructions with #.
Mandatory argument : -s <instructions> : the sequence of instructions to assemble to opcode
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Set a breakpoint at a given address. Without -t, sets a software breakpoint (INT 3). With -t, sets a hardware breakpoint (uses debug registers DR0-DR3 on Immunity, 'ba' on WinDBG).
Arguments
-
-a <address>: the address where to set the breakpoint (absolute address / register / module / module!function / symbol / expression with offsets) (mandatory). -
-t <type>: type of hardware breakpoint. Can be READ (R), WRITE (W) or EXE (X). READ/R : triggers on read, write, and execute (Access). WRITE/W : triggers on write only. EXE/X : triggers on execute only. If omitted, a software breakpoint is set instead. (optional). -
-if <condition>: condition expression for the breakpoint. WinDBG example: -if "eax==0" Immunity example: -if "EAX==0" (evaluated via LogBpHook) WinDBG only: (optional). -
-c "windbg cmd;windbg cmd": windbg command(s) to execute when breakpoint gets hit The commands must be in between double quotes, and separated by semi-colons. If WinDBG truncates -c at the first ';', use '|' instead. Mona will convert '|' back to ';' before setting the breakpoint. (optional).
Usage:
Set a breakpoint at a given address.
Without -t, sets a software breakpoint (INT 3).
With -t, sets a hardware breakpoint (uses debug registers DR0-DR3 on Immunity, 'ba' on WinDBG).
Hardware breakpoints use smart alignment (size 4 if 4-byte aligned, 2 if 2-byte aligned, else 1).
Execute type always uses size 1. On x64 WinDBG, size 8 is used for 8-byte aligned addresses.
On Immunity, max 4 hardware breakpoints can be active (DR0-DR3).
Mandatory arguments :
-a <address> : the address where to set the breakpoint
(absolute address / register / module / module!function / symbol / expression with offsets)
Optional arguments :
-t <type> : type of hardware breakpoint. Can be READ (R), WRITE (W) or EXE (X).
READ/R : triggers on read, write, and execute (Access).
WRITE/W : triggers on write only.
EXE/X : triggers on execute only.
If omitted, a software breakpoint is set instead.
-if <condition> : condition expression for the breakpoint.
WinDBG example: -if "eax==0"
Immunity example: -if "EAX==0" (evaluated via LogBpHook)
WinDBG only:
-c "windbg cmd;windbg cmd" : windbg command(s) to execute when breakpoint gets hit
The commands must be in between double quotes, and separated by semi-colons.
If WinDBG truncates -c at the first ';', use '|' instead.
Mona will convert '|' back to ';' before setting the breakpoint.
If a command needs double quotes, please replace them with #,
and I will convert them back to double quotes when setting the breakpoint.
Example: -c ".printf #-----Breakpoint hit at 0x%p\\n#,@$ip|u @$ip L 1|r|.echo -----|gc"
Alias: sehbp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Sets a breakpoint on all current SEH Handler function pointers
Arguments
- No documented command-specific arguments.
Usage:
Sets a breakpoint on all current SEH Handler function pointers
Alias: bf
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Set a breakpoint on exported or imported function(s) of the selected modules.
Arguments
-
-t <type>: type of breakpoint action. Can be 'add', 'del' or 'list' (mandatory). -
-f <function type>: set to 'import' or 'export' to read IAT or EAT. Default : export (optional). -
-s <func,func,func>: specify function names. If you want a bp on all functions, set -s to * WinDBG only: (optional). -
-c "windbg cmd;windbg cmd": windbg command(s) to execute when breakpoint gets hit The commands must be in between double quotes, and separated by semi-colons. If WinDBG truncates -c at the first ';', use '|' instead. Mona will convert '|' back to ';' before setting the breakpoint. (optional).
Usage:
Set a breakpoint on exported or imported function(s) of the selected modules.
Mandatory argument :
-t <type> : type of breakpoint action. Can be 'add', 'del' or 'list'
Optional arguments:
-f <function type> : set to 'import' or 'export' to read IAT or EAT. Default : export
-s <func,func,func> : specify function names.
If you want a bp on all functions, set -s to *
WinDBG only:
-c "windbg cmd;windbg cmd" : windbg command(s) to execute when breakpoint gets hit
The commands must be in between double quotes, and separated by semi-colons.
If WinDBG truncates -c at the first ';', use '|' instead.
Mona will convert '|' back to ';' before setting the breakpoint.
If a command needs double quotes, please replace them with #,
and I will convert them back to double quotes when setting the breakpoint.
Example: -c ".printf #-----Breakpoint hit at 0x%p\\n#,@$ip|u @$ip L 1|r|.echo -----|gc"
Alias: ba
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Creates a byte array, can be used to find bad characters
Arguments
-
-cpb <bytes>: bytes to exclude from the array. Example : '\x00\x0a\x0d' Note: you can specify wildcards using .. Example: '\x00\x0a..\x20\x32\x7f..\xff' (optional). -
-s: optional starting hex, example: '\x7f' (optional). -
-e: optional ending hex, example: '\xff' Example: -s \x01 -e \x7f to have all bytes from 0x01 to 0x7f -s \xff -e \x7f to have all bytes from 0xff to 0x7f in reverse (optional). -
-r: show array backwards (reversed), starting at \xff Output will be written to bytearray.txt (raw bytes + Python 2/3 code), and binary output will be written to bytearray.bin (optional).
Usage:
Creates a byte array, can be used to find bad characters
Optional arguments:
-cpb <bytes> : bytes to exclude from the array. Example : '\\x00\\x0a\\x0d'
Note: you can specify wildcards using ..
Example: '\\x00\\x0a..\\x20\\x32\\x7f..\\xff'
-s : optional starting hex, example: '\\x7f'
-e : optional ending hex, example: '\\xff'
Example: -s \\x01 -e \\x7f to have all bytes from 0x01 to 0x7f
-s \\xff -e \\x7f to have all bytes from 0xff to 0x7f in reverse
-r : show array backwards (reversed), starting at \\xff
Output will be written to bytearray.txt (raw bytes + Python 2/3 code),
and binary output will be written to bytearray.bin
Alias: ca
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Change the ACL of a given page.
Arguments
-
-a <address>: Address belonging to the page that needs to be changed (arguments). -
-acl <level>: New ACL. Valid values include N,R,RW,W,X,RX,RWX/RXW,XW,GUARD,NOCACHE,WC You can also use full names such as PAGE_READWRITE, PAGE_EXECUTE_READ, etc. (arguments).
Usage:
Change the ACL of a given page.
Arguments:
-a <address> : Address belonging to the page that needs to be changed
-acl <level> : New ACL. Valid values include N,R,RW,W,X,RX,RWX/RXW,XW,GUARD,NOCACHE,WC
You can also use full names such as PAGE_READWRITE, PAGE_EXECUTE_READ, etc.
Alias: clean
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Free up some diskspace by removing old log files from workingfolder This command only works if you have an active workingfolder set For instance: !mona config -set workingfolder c:\logs%%p
Arguments
-
-d <number>: Minimum age of the log file to delete (default: 30). Set to -d 0 to do a full cleanup (optional). -
-stat: Show matching files and age/size statistics without deleting anything (optional).
Usage:
Free up some diskspace by removing old log files from workingfolder
This command only works if you have an active workingfolder set
For instance: !mona config -set workingfolder c:\logs\%%p
The script will delete:
- *mona-windbg-debug.log
- *.old
- *.old2
- *rop*progress*.log
If you use -stat, the script will not delete any files.
Instead, it will list all matching files and show size statistics by file age.
Files older than the configured minimum age will be grouped together in one bucket.
Optional arguments:
-d <number> : Minimum age of the log file to delete (default: 30). Set to -d 0 to do a full cleanup
-stat : Show matching files and age/size statistics without deleting anything
Alias: cmp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Compare a file created by mona's bytearray/msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory.
Arguments
-
-f <filename>: full path to input file (mandatory). -
-a <address>: the exact address of the bytes in memory (address or register). If you don't specify an address, I will try to locate the bytes in memory by looking at the first 8 bytes. (optional). -
-s: skip locations that belong to a module (optional). -
-unicode: perform unicode search. Note: input should not be unicode, it will be expanded automatically (optional). -
-t: input file type format. If no file type format is specified, I will try to guess the input file type format. (optional).
Usage:
Compare a file created by mona's bytearray/msfvenom/gdb/hex/xxd/hexdump/ollydbg with a copy in memory.
Mandatory argument :
-f <filename> : full path to input file
Optional argument :
-a <address> : the exact address of the bytes in memory (address or register).
If you don't specify an address, I will try to locate the bytes in memory
by looking at the first 8 bytes.
-s : skip locations that belong to a module
-unicode : perform unicode search. Note: input should *not* be unicode, it will be expanded automatically
-t : input file type format. If no file type format is specified, I will try to guess the input file type format.
Available formats:
'raw', 'hexdump', 'js-unicode', 'dword', 'xxd', 'byte-array', 'hexstring', 'hexdump-C', 'classic-hexdump', 'escaped-hexes', 'msfvenom-powershell', 'gdb', 'ollydbg', 'msfvenom-ruby', 'msfvenom-c', 'msfvenom-carray', 'msfvenom-python'
Alias: conf
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Change config of mona.py Available options are : -get -set -add <value_to_add> -del <value_to_del> -clear -list
Arguments
- No documented command-specific arguments.
Usage:
Change config of mona.py
Available options are :
-get <parameter>
-set <parameter> <value>
-add <parameter> <value_to_add>
-del <parameter> <value_to_del>
-clear <parameter>
-list
If you run 'config' without options, it will show the list of options currently set.
Mona uses the following parameters:
workingfolder
excluded_modules
author
alias
The exclude_modules parameter takes a comma-separated list of module names.
You can add items to the parameter using the -add option, and remove items using -del
The alias variable allow you to set the command you're using to launch mona.
This will affect clickable links and help output.
For example, in WinDBG(X):
!load pykd
!py -3.9 c:\Tools\mona3\mona.py config -set alias #mona
as !py -3.9 c:\Tools\mona3\mona.py !mona
(note: the # (hashtag) will be replaced with !)
Alias: cp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Copies bytes from one location to another.
Arguments
-
-src <address>: The source address (arguments). -
-dst <address>: The destination address (arguments). -
-n <number>: The number of bytes to copy (arguments).
Usage:
Copies bytes from one location to another.
Arguments:
-src <address> : The source address
-dst <address> : The destination address
-n <number> : The number of bytes to copy
Alias: dmp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Dump the specified memory range to a file. Either the end address or the size of buffer needs to be specified.
Arguments
-
-s <address>: start address (mandatory). -
-f <filename>: the name of the file where to write the bytes (mandatory). -
-n <size>: the number of bytes to copy (size of the buffer) (optional). -
-e <address>: the end address of the copy (optional).
Usage:
Dump the specified memory range to a file. Either the end address or the size of
buffer needs to be specified.
Mandatory arguments :
-s <address> : start address
-f <filename> : the name of the file where to write the bytes
Optional arguments:
-n <size> : the number of bytes to copy (size of the buffer)
-e <address> : the end address of the copy
Alias: dl
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Dump objects present in alloc/free log file
Arguments
-
-f <path/to/logfile>: Full path to the logfile (arguments). -
-l <number>: Recursively dump objects (optional). -
-m <number>: Size for recursive objects (default value: 0x28) (optional). -
-s <number>: Only take allocated chunks of this exact size into consideration (optional). -
-nofree: Ignore all free() events, show all allocations (including those that were freed) (optional).
Usage:
Dump all objects recorded in an alloc/free log
Note: dumplog will only dump objects that have not been freed in the same logfile.
Expected syntax for log entries:
Alloc : 'alloc(size in hex) = address'
Free : 'free(address)'
Additional text after the alloc & free info is fine.
Just make sure the syntax matches exactly with the examples above.
Arguments:
-f <path/to/logfile> : Full path to the logfile
Optional arguments:
-l <number> : Recursively dump objects
-m <number> : Size for recursive objects (default value: 0x28)
-s <number> : Only take allocated chunks of this exact size into consideration
-nofree : Ignore all free() events, show all allocations (including those that were freed)
Alias: do
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Dump the contents of an object.
Arguments
-
-a <address>: Address of object (arguments). -
-s <number>: Size of object (default value: 0x28 or size of chunk) (arguments). -
-l <number>: Recursively dump objects (optional). -
-m <number>: Size for recursive objects (default value: 0x28) (optional).
Usage:
Dump the contents of an object.
Arguments:
-a <address> : Address of object
-s <number> : Size of object (default value: 0x28 or size of chunk)
Optional arguments:
-l <number> : Recursively dump objects
-m <number> : Size for recursive objects (default value: 0x28)
Alias: egg
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Creates an egghunter routine
Arguments
-
-t: tag (ex: w00t). Default value is w00t (optional). -
-c: enable checksum routine. Only works in conjunction with parameter -f (optional). -
-f <filename>: file containing the shellcode (optional). -
-startreg <reg>: start searching at the address pointed by this reg (optional). -
-wow64: generate wow64 egghunter (Win7 and Win11/10). Default is traditional 32bit egghunter (optional). -
-winver <ver>: indicate Windows version for wow64 egghunter. Default is Windows 11/10. valid values are 7, 10 and 11. DEP Bypass options : (optional). -
-depmethod <method>: method can be "virtualprotect", "copy" or "copy_size" (optional). -
-depreg <reg>: sets the register that contains a pointer to the API function to bypass DEP. By default this register is set to ESI (optional). -
-depsize <value>: sets the size for the dep bypass routine (optional). -
-depdest <reg>: this register points to the location of the egghunter itself. When bypassing DEP, the egghunter is already marked as executable. So when using the copy or copy_size methods, the DEP bypass in the egghunter would do a "copy 2 self". In order to be able to do so, it needs a register where it can copy the shellcode to. If you leave this empty, the code will contain a GetPC routine. (optional).
Usage:
Creates an egghunter routine
Optional arguments:
-t : tag (ex: w00t). Default value is w00t
-c : enable checksum routine. Only works in conjunction with parameter -f
-f <filename> : file containing the shellcode
-startreg <reg> : start searching at the address pointed by this reg
-wow64 : generate wow64 egghunter (Win7 and Win11/10). Default is traditional 32bit egghunter
-winver <ver> : indicate Windows version for wow64 egghunter. Default is Windows 11/10.
valid values are 7, 10 and 11.
DEP Bypass options :
-depmethod <method> : method can be "virtualprotect", "copy" or "copy_size"
-depreg <reg> : sets the register that contains a pointer to the API function to bypass DEP.
By default this register is set to ESI
-depsize <value> : sets the size for the dep bypass routine
-depdest <reg> : this register points to the location of the egghunter itself.
When bypassing DEP, the egghunter is already marked as executable.
So when using the copy or copy_size methods, the DEP bypass in the egghunter
would do a "copy 2 self". In order to be able to do so, it needs a register
where it can copy the shellcode to.
If you leave this empty, the code will contain a GetPC routine.
Alias: enc
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Encode a series of bytes
Arguments
-
-t <type>: Type of encoder to use. Allowed value(s) are alphanum (arguments). -
-s <bytes|asm>: Bytes to encode (e.g. \x41\x42, 4142) or assembly (use # to separate instructions) (arguments). -
-f <path to file>: The full path to the binary file that contains the bytes to encode (arguments).
Usage:
Encode a series of bytes
Arguments:
-t <type> : Type of encoder to use. Allowed value(s) are alphanum
-s <bytes|asm> : Bytes to encode (e.g. \\x41\\x42, 4142) or assembly (use # to separate instructions)
-f <path to file> : The full path to the binary file that contains the bytes to encode
Alias: fc
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Compares 2 or more files created by mona using the same output commands Make sure to use files that are created with the same version of mona and contain the output of the same mona command.
Arguments
-
-range <number>: find overlapping ranges for all pointers + range. When using -range, the -contains and -nostrict options will be ignored (mandatory). -
-ptronly: only show matching pointers (slightly faster). Doesn't work when 'range' is used (mandatory).
Usage:
Compares 2 or more files created by mona using the same output commands
Make sure to use files that are created with the same version of mona and
contain the output of the same mona command.
Mandatory argument : -f \"file1,file2,...filen\"
Put all filenames between one set of double quotes, and separate files with comma's.
You can specify a foldername as well with -f, all files in the root of that folder will be part of the compare.
Output will be written to filecompare.txt and filecompare_not.txt (not matching pointers)
Optional parameters :
-contains \"INSTRUCTION\" (will only list if instruction is found)
-nostrict (will also list pointer is instructions don't match in all files)
-range <number> : find overlapping ranges for all pointers + range.
When using -range, the -contains and -nostrict options will be ignored
-ptronly : only show matching pointers (slightly faster). Doesn't work when 'range' is used
Alias: fchunk
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Fills a heap chunk, referenced by an address expression, with A bytes by default, or another byte you provide.
The command first tries to resolve the target through Mona's cached heap/chunk map. If that succeeds, it fills the owning heap chunk even when the supplied address points somewhere inside the chunk. If that lookup fails, it falls back to !heap -x.
By default, if the beginning of the user chunk looks like a pointer into a loaded module, those first pointer-sized bytes are preserved to avoid clobbering a likely vftable pointer. Use -force to overwrite them anyway.
Arguments
-
-a <address>: reference to heap chunk to fill (address, register, offset from register, etc) (mandatory). -
-b <byte>: fill byte to write. Accepts a character or a byte string such as\x41(optional). -
-force: overwrite the entire chunk even when the first pointer-sized bytes appear to be a module/vftable pointer (optional). -
-strict: start writing at the provided address instead of the beginning of the chunk (optional). -
-s <size>: if the referenced chunk is not found, and a size is defined with -s, memory will be filled anyway, up to the specified size (optional).
Usage:
Fills a heap chunk, referenced by an address expression, with A's (or another character)
Mandatory arguments :
-a <address> : reference to heap chunk to fill (address, register, offset from register, etc)
If the chunk at the address begins with what may be a vftable pointer,
that pointer will not be overwritten by default.
Even if the address is not the start of a chunk, the command will
normally write from the start of the owning chunk unless you specify -strict.
Optional arguments:
-b <character or byte to use to fill up chunk>
-force : force overwrite of the full chunk, including an initial
pointer-sized value that looks like a module/vftable pointer
-strict : only write starting at the provided address forward instead of
starting from the beginning of the owning chunk
-s <size> : if the referenced chunk is not found, and a size is defined with -s,
memory will be filled anyway, up to the specified size
Alias: f
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Find a sequence of bytes in memory.
Arguments
-
-type <type>: Type of pattern to search for : bin,asc,ptr,instr,file (optional). -
-b <address>: base/bottom address of the search range (optional). -
-t <address>: top address of the search range (optional). -
-c: skip consecutive pointers but show length of the pattern instead (optional). -
-p2p: show pointers to pointers to the pattern (might take a while !) this setting equals setting -level to 1 (optional). -
-level <number>: do recursive (p2p) searches, specify number of levels deep if you want to look for pointers to pointers, set level to 1 (optional). -
-offset <number>: subtract a value from a pointer at a certain level (optional). -
-offsetlevel <number>: level to subtract a value from a pointer (optional). -
-r <number>: if p2p is used, you can tell the find to also find close pointers by specifying -r with a value. This value indicates the number of bytes to step backwards for each search (optional). -
-unicode: used in conjunction with search type asc, this will convert the search pattern to unicode first (optional). -
-ptronly: Only show the pointers, skip showing info about the pointer (slightly faster) (optional).
Usage:
Find a sequence of bytes in memory.
Mandatory argument : -s <pattern> : the sequence to search for. If you specified type 'file', then use -s to specify the file.
This file needs to be a file created with mona.py, containing pointers at the begin of each line.
Optional arguments:
-type <type> : Type of pattern to search for : bin,asc,ptr,instr,file
-b <address> : base/bottom address of the search range
-t <address> : top address of the search range
-c : skip consecutive pointers but show length of the pattern instead
-p2p : show pointers to pointers to the pattern (might take a while !)
this setting equals setting -level to 1
-level <number> : do recursive (p2p) searches, specify number of levels deep
if you want to look for pointers to pointers, set level to 1
-offset <number> : subtract a value from a pointer at a certain level
-offsetlevel <number> : level to subtract a value from a pointer
-r <number> : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value.
This value indicates the number of bytes to step backwards for each search
-unicode : used in conjunction with search type asc, this will convert the search pattern to unicode first
-ptronly : Only show the pointers, skip showing info about the pointer (slightly faster)
Alias: findmsf
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Find cyclic pattern in memory
Arguments
-
-distance <value>: distance from ESP, applies to search on the stack. Default : search entire stack Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use (optional).
Usage:
Finds begin of a cyclic pattern in memory, looks if one of the registers contains (is overwritten) with a cyclic pattern
or points into a cyclic pattern. findmsp will also look if a SEH record is overwritten and finally,
it will look for cyclic patterns on the stack, and pointers to cyclic pattern on the stack.
Optional argument :
-distance <value> : distance from ESP, applies to search on the stack. Default : search entire stack
Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
Alias: fw
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Find instructions in memory, accepts wildcards.
Arguments
-
-b <address>: base/bottom address of the search range (optional). -
-t <address>: top address of the search range (optional). -
-depth <nr>: number of instructions to go deep (8 by default) (optional). -
-distance min=nr,max=nr: global range for numeric offsets (default: 4 to 40 decimal) (optional). -
-nx: y = specify the minimum and maximum number for this range specifically (same applies to +nx:y) imm = an immediate (number) in a range (uses the -distance values as well) immx:y = allows you to specify the range for this immediate (optional).
Usage:
Find instructions in memory, accepts wildcards.
By default, findwild searches through the entire memory space and considers executable pages.
If you only want to search in executable pages that are part of modules, use the -m * argument
Mandatory arguments :
-s <instruction#instruction#instruction> (separate instructions with #)
Optional arguments:
-b <address> : base/bottom address of the search range
-t <address> : top address of the search range
-depth <nr> : number of instructions to go deep (8 by default)
-distance min=nr,max=nr : global range for numeric offsets
(default: 4 to 40 decimal)
Inside the instructions string, you can use the following wildcards :
* = any instruction
r32 = any 32bit register
r64 = any 64bit register
-n or +n = any number in a range (uses the -distance min, unless you specified a specific range)
-nx:y = specify the minimum and maximum number for this range specifically
(same applies to +nx:y)
imm = an immediate (number) in a range (uses the -distance values as well)
immx:y = allows you to specify the range for this immediate
Examples:
pop r32#*#xor eax,eax#*#pop esi#ret
push rbp#*#jmp rax
mov eax, [eax+n4:20]#*#inc r32
add esp,imm0x100:0x200#pop r32#retn
Alias: fwp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Search for calls to pointers in a writeable location, will assist with finding a good target for 4byte arbitrary writes
Arguments
-
-bp: Set breakpoints on all found CALL instructions (optional). -
-patch: Patch the target of each CALL with 0x41414141 (optional). -
-chunksize <nr>: only list the pointer if location-8 bytes contains a size value larger than (size in blocks, not bytes) (optional). -
-offset <nr>: add bytes of offset within chunk, after flink/blink pointer (use in combination with -freelist and -chunksize ) (optional). -
-freelist: Search for fwptr that are preceeded by 2 readable pointers that can act as flink/blink (optional).
Usage:
Search for calls to pointers in a writeable location,
will assist with finding a good target for 4byte arbitrary writes
Optional arguments:
-bp : Set breakpoints on all found CALL instructions
-patch : Patch the target of each CALL with 0x41414141
-chunksize <nr> : only list the pointer if location-8 bytes contains a size value larger than <nr>
(size in blocks, not bytes)
-offset <nr> : add <nr> bytes of offset within chunk, after flink/blink pointer
(use in combination with -freelist and -chunksize <nr>)
-freelist : Search for fwptr that are preceeded by 2 readable pointers that can act as flink/blink
Alias: eat
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show EAT entries from selected module(s)
Arguments
-
-s <keywords>: only show EAT entries that contain one of these keywords (optional).
Usage:
Show EAT entries from selected module(s)
Optional arguments:
-s <keywords> : only show EAT entries that contain one of these keywords
Alias: iat
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show IAT entries from selected module(s)
Arguments
-
-s <keywords>: only show IAT entries that contain one of these keywords (optional).
Usage:
Show IAT entries from selected module(s)
Optional arguments:
-s <keywords> : only show IAT entries that contain one of these keywords
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Find getpc routine for specific register
Arguments
-
-r: register (ex: eax) (mandatory).
Usage:
Find getpc routine for specific register
Mandatory argument :
-r : register (ex: eax)
Alias: gf
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Will show the currently set GFlags, based on the PEB.NtGlobalFlag value
Arguments
- No documented command-specific arguments.
Usage:
Will show the currently set GFlags, based on the PEB.NtGlobalFlag value
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Convert contents of a binary file to code that can be run to produce the file
Arguments
-
-f <filename>: source filename (mandatory). -
-t <type>: specify type of output. Valid choices are 'python' (default) or 'ruby' (optional).
Usage:
Convert contents of a binary file to code that can be run to produce the file
Mandatory argument :
-f <filename> : source filename
Optional argument:
-t <type> : specify type of output. Valid choices are 'python' (default) or 'ruby'
Alias: hp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show information about various heap chunk lists
Arguments
-
-h <address>: base address of the heap to query (mandatory). -
-t <type>: where type is 'segments', 'chunks', 'layout', 'fea' (let mona determine the frontend allocator), 'lal' (force display of LAL FEA, only on XP/2003), 'lfh' (force display of LFH FEA (Vista/Win7/...)), 'bea' (backend allocator, mona will automatically determine what it is), 'all' (show all information) Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results. (mandatory). -
-expand: Works only in combination with 'layout', will include VA/LFH/... chunks in the search. VA/LFH chunks may be very big, so this might slow down the search. (optional). -
-stat: show statistics (also works in combination with -h heap, -t segments or -t chunks (optional). -
-size <nr>: only show strings of at least the specified size. Works in combination with 'layout' (optional). -
-after <data>: only show current & next chunk layout entries when an entry contains this data (Only works in combination with 'layout') (optional). -
-v: show data / write verbose info to the Log window (optional).
Usage:
Show information about various heap chunk lists
Standalone argument (mutually exclusive with -h / -t):
-a <address> : show _HEAP_ENTRY, UserPtr, UserSize, State, first 8 bytes at UserPtr,
Heap and Segment / LFH Subsegment / VABlock for the chunk that contains
<address> and its immediate predecessor and successor chunks.
<address> may be the chunk header, the user-data pointer, or any address
within the chunk's allocated range (hex, register, expression).
Mandatory arguments (heap-level queries):
-h <address> : base address of the heap to query
-t <type> : where type is 'segments', 'chunks', 'layout',
'fea' (let mona determine the frontend allocator),
'lal' (force display of LAL FEA, only on XP/2003),
'lfh' (force display of LFH FEA (Vista/Win7/...)),
'bea' (backend allocator, mona will automatically determine what it is),
'all' (show all information)
Note: 'layout' will show all heap chunks and their vtables & strings. Use on WinDBG for maximum results.
Optional arguments:
-expand : Works only in combination with 'layout', will include VA/LFH/... chunks in the search.
VA/LFH chunks may be very big, so this might slow down the search.
-stat : show statistics (also works in combination with -h heap, -t segments or -t chunks
-size <nr> : only show strings of at least the specified size. Works in combination with 'layout'
-after <data> : only show current & next chunk layout entries when an entry contains this data
(Only works in combination with 'layout')
-v : show data / write verbose info to the Log window
Alias: h
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show help
Arguments
- No documented command-specific arguments.
Usage:
!mona help [command]
Alias: hd
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Will attempt to hide the debugger from the process
Arguments
- No documented command-specific arguments.
Usage:
Will attempt to hide the debugger from the process
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show information about a given address in the context of the loaded application
Arguments
- No documented command-specific arguments.
Usage:
Show information about a given address in the context of the loaded application
Mandatory argument : -a <address> : the address to query
Alias: if
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Dumps contents of memory to file. Contents will include all pages that don't belong to stack, heap or loaded modules. Output will be written to infodump.xml
Arguments
- No documented command-specific arguments.
Usage:
Dumps contents of memory to file. Contents will include all pages that don't
belong to stack, heap or loaded modules.
Output will be written to infodump.xml
Alias: j
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Default module criteria : non aslr, non rebase
Arguments
- No documented command-specific arguments.
Usage:
Default module criteria : non aslr, non rebase
Mandatory argument : -r <reg> where reg is a valid register
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Default module criteria : non aslr,non rebase,non os Optional parameters : -depth : define the maximum nr of instructions (not ending instruction) in each gadget (integer, default : 8)
Arguments
- No documented command-specific arguments.
Usage:
Default module criteria : non aslr,non rebase,non os
Optional parameters :
-depth <value> : define the maximum nr of instructions (not ending instruction) in each gadget (integer, default : 8)
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Finds gadgets that can be used to bypass SafeSEH
Arguments
- No documented command-specific arguments.
Usage:
(look for jmp/call dword ptr[ebp/esp+nn and ebp-nn] + add esp,8+ret)
Only addresses outside address range of modules will be listed unless parameter '-all' is given.
In that case, all addresses will be listed. TRY THIS ONE !
Alias: ld
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Read the contents from a file and write to a memory location
Arguments
-
-f: Full path to the file to read (arguments). -
-a: address (or register) to write to (arguments).
Usage:
Read the contents from a file and write to a memory location
Arguments:
-f : Full path to the file to read
-a : address (or register) to write to
Alias: modinfo
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show detailed information about a specific loaded module.
Arguments
-
-m <name>: image name as shown in the modules table (e.g. kernel32.dll or kernel32) (mandatory). -
-a <address>: address within the module (hex, e.g. 0x77e40000) You can use a register name as well (mandatory).
Usage:
Show detailed information about a specific loaded module.
Mandatory argument (one of):
-m <name> : image name as shown in the modules table (e.g. kernel32.dll or kernel32)
-a <address> : address within the module (hex, e.g. 0x77e40000)
You can use a register name as well
Alias: mod
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Shows information about the loaded modules. Check the global options above to filter modules as needed.
Arguments
-
-peborder <list>: select which PEB LDR_DATA list to walk (default: load) load - InLoadOrderModuleList (DLL load order) memory - InMemoryOrderModuleList init - InInitializationOrderModuleList (DllMain call order) (optional). -
-sort <spec>: sort the output using a compound sort specifier. Each key is optionally followed by a suffix: Bool columns (rebase,safeseh,aslr,cfg,nx,os): '+' = has the flag (True first) '-' = does not have the flag (False first) [default] Numeric columns (base,size): '+' = low first (ascending) [default] '-' = high first (descending) No suffix uses the column default (bool: does not have the flag first; numeric: low first). Separator styles (combinable): Commas: -sort aslr-,safeseh- (comma acts as delimiter, MUST have no spaces, no suffix sets default direction for each key) Concatenated: -sort aslr-safeseh- (+/- suffix acts as delimiter; every key MUST have a suffix) Spaces: -sort "aslr safeseh" (no suffix, default direction for each key) Valid keys: base, size, rebase, safeseh, aslr, cfg, nx, os (optional).
Usage:
Shows information about the loaded modules.
Check the global options above to filter modules as needed.
Optional arguments :
-peborder <list> : select which PEB LDR_DATA list to walk (default: load)
load - InLoadOrderModuleList (DLL load order)
memory - InMemoryOrderModuleList
init - InInitializationOrderModuleList (DllMain call order)
-sort <spec> : sort the output using a compound sort specifier.
Each key is optionally followed by a suffix:
Bool columns (rebase,safeseh,aslr,cfg,nx,os):
'+' = has the flag (True first)
'-' = does not have the flag (False first) [default]
Numeric columns (base,size):
'+' = low first (ascending) [default]
'-' = high first (descending)
No suffix uses the column default (bool: does not have the flag first; numeric: low first).
Separator styles (combinable):
Commas: -sort aslr-,safeseh- (comma acts as delimiter, MUST have no spaces, no suffix sets default direction for each key)
Concatenated: -sort aslr-safeseh- (+/- suffix acts as delimiter; every key MUST have a suffix)
Spaces: -sort "aslr safeseh" (no suffix, default direction for each key)
Valid keys: base, size, rebase, safeseh, aslr, cfg, nx, os
Examples:
-sort aslr- : modules without ASLR first (default)
-sort aslr+ : modules with ASLR first
-sort aslr-,safeseh- : no-ASLR first, then no-SafeSEH first
-sort "aslr safeseh" : same, using default direction (no flag first) for each key
-sort base+ : ascending base address (low first)
Alias: os
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Calculate the number of bytes between two addresses. In addition to plain addresses, you can also specify registers, modules, module!functionnames, etc.
Arguments
-
-a1 <address>: the first address/register (mandatory). -
-a2 <address>: the second address/register (mandatory).
Usage:
Calculate the number of bytes between two addresses.
In addition to plain addresses, you can also specify registers, modules, module!functionnames, etc.
Mandatory arguments :
-a1 <address> : the first address/register
-a2 <address> : the second address/register
Alias: pacl
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
List all mapped pages and show the ACL associated with each page
Arguments
-
-a <address>: only show page information around this address. By default, 1 page before, the containing page, and 1 page after are displayed. (optional). -
-n <number>: only used together with-a. Show up to<number>pages before and<number>pages after the page that contains the address. (optional). -
-acl <type>: only show pages that match the specified memory protection constant. (optional).
Usage:
List all mapped pages and show the ACL associated with each page
Optional arguments:
-a <address> : only show page information around this address.
(By default, 1 page before, the containing page, and 1 page after will be displayed)
-n <number> : only used together with -a. Show up to <number> pages before and
<number> pages after the page that contains the address
-acl <type> : only show pages that match the specified memory protection constant
Alias: pc
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Create a cyclic pattern of a given size. Output will be written to pattern.txt in ascii, hex and unescape() javascript format
Arguments
- Mandatory: size (numberic value)
-
-extended: extend the 3rd characterset (numbers) with punctuation marks etc (optional). -
-c1 <chars>: set the first charset to this string of characters (optional). -
-c2 <chars>: set the second charset to this string of characters (optional). -
-c3 <chars>: set the third charset to this string of characters (optional).
Usage:
Create a cyclic pattern of a given size. Output will be written to pattern.txt
in ascii, hex and unescape() javascript format
Mandatory argument : size (numberic value)
Optional arguments:
-extended : extend the 3rd characterset (numbers) with punctuation marks etc
-c1 <chars> : set the first charset to this string of characters
-c2 <chars> : set the second charset to this string of characters
-c3 <chars> : set the third charset to this string of characters
Alias: po
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Find the location of 4 bytes in a cyclic pattern
Arguments
- Mandatory: the 4 bytes to look for
-
-extended: extend the 3rd characterset (numbers) with punctuation marks etc (optional). -
-c1 <chars>: set the first charset to this string of characters (optional). -
-c2 <chars>: set the second charset to this string of characters (optional). -
-c3 <chars>: set the third charset to this string of characters Note : the charset must match the charset that was used to create the pattern ! (optional).
Usage:
Find the location of 4 bytes in a cyclic pattern
Mandatory argument : the 4 bytes to look for
Note : you can also specify a register
Optional arguments:
-extended : extend the 3rd characterset (numbers) with punctuation marks etc
-c1 <chars> : set the first charset to this string of characters
-c2 <chars> : set the second charset to this string of characters
-c3 <chars> : set the third charset to this string of characters
Note : the charset must match the charset that was used to create the pattern !
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show the address of the Process Environment Block (PEB)
Arguments
- No documented command-specific arguments.
Usage:
Show the address of the Process Environment Block (PEB)
Alias: pl
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show a unified process memory layout map (PEB, TEB, modules, stacks, heaps)
Arguments
-
-t <type>: Show only the specified category or categories (comma-separated). Without -t the default view is shown: PEB, TEB, Module, Stack, Heap, Segment, VADBlock (only Chunk is hidden by default). (optional). -
-tree: Show ancestor context rows above the selected categories so the full parent chain is visible (base sort only; ignored with -s elements). Parents are indented one level above their children: PEB Heap Segment Chunk Example: !mona pl -t chunk -tree (PEB -> Heap -> Segment -> Chunk) Example: !mona pl -t vablock -tree (PEB -> Heap -> VADBlock) Example: !mona pl -t segment -tree (PEB -> Heap -> Segment) (optional). -
-a <addr>: Highlight the row (entity) whose address range contains in bold (WinDBG) or with a >>> prefix (Immunity). Useful for locating a specific chunk, segment, or block in the tree. This automatically activates-treemode. Example: !mona pl -t chunk -a 0x12345678 (optional). -
-s <mode>: Sort/layout mode. Valid values: base (default) Flat list sorted by address. elements Hierarchical: TEB->Stack, Heap->Segment->Chunk. Example: !mona pl -s elements (optional).
Usage:
Show a unified process memory layout map (PEB, TEB, modules, stacks, heaps)
Optional arguments:
-t <type> : Show only the specified category or categories (comma-separated).
Without -t the default view is shown: PEB, TEB, Module, Stack,
Heap, Segment, VADBlock (only Chunk is hidden by default).
Available types (each shows only its own rows, no implicit parents):
peb - Process Environment Block
teb - Thread Environment Block(s)
mod - Loaded modules
stack - Thread stacks
heap - Heap headers only
segment - Heap segment entries only
chunk - Heap chunks only
vablock - Virtual-allocated heap blocks only
all - Every category
Combine types with commas to show multiple at once.
Example: !mona pl -t heap,segment
Example: !mona pl -t chunk
Example: !mona pl -t heap,segment,chunk
Example: !mona pl -t all
-tree : Show ancestor context rows above the selected categories so the
full parent chain is visible (base sort only; ignored with -s elements).
Parents are indented one level above their children:
PEB
Heap
Segment
Chunk
Example: !mona pl -t chunk -tree (PEB -> Heap -> Segment -> Chunk)
Example: !mona pl -t vablock -tree (PEB -> Heap -> VADBlock)
Example: !mona pl -t segment -tree (PEB -> Heap -> Segment)
-a <addr> : Highlight the row (entity) whose address range contains
<addr> in bold (WinDBG) or with a >>> prefix (Immunity).
Useful for locating a specific chunk, segment, or block in the tree.
Example: !mona pl -t chunk -a 0x12345678
(note: this will activate -tree mode)
-s <mode> : Sort/layout mode. Valid values:
base (default) Flat list sorted by address.
elements Hierarchical: TEB->Stack, Heap->Segment->Chunk.
Example: !mona pl -s elements
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Finds gadgets that can be used in a ROP chain and perhaps do some ROP magic with them
Arguments
- No documented command-specific arguments.
Usage:
Default module criteria : non aslr,non rebase,non os
Optional parameters :
-offset <value> : define the maximum offset for RET instructions (integer, default : 40)
-distance <value> : define the minimum distance for stackpivots (integer, default : 8).
If you want to specify a min and max distance, set the value to min,max
-depth <value> : define the maximum nr of instructions (not ending instruction) in each gadget (integer, default : 6)
-split : write gadgets to individual files, grouped by the module the gadget belongs to
-fast : skip the 'non-interesting' gadgets
-cfg : Identify valid CFG target gadgets and write them to a separate output file
(this may slow down the overall process a bit)
-end <instruction(s)> : specify one or more instructions that will be used as chain end.
(Separate instructions with #). Default ending is RETN
-f \"file1,file2,..filen\" : use mona generated rop files as input instead of searching in memory
-rva : use RVA's in rop chain
-s <technique> : only create a ROP chain for the selected technique (options: virtualalloc, virtualprotect)
-sort : sort the output in rop.txt (sort on pointer value)
Alias: rf
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Default module criteria : non aslr, non rebase, non os Output will be written to ropfunc.txt
Arguments
- No documented command-specific arguments.
Usage:
Default module criteria : non aslr, non rebase, non os
Output will be written to ropfunc.txt
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Default module criteria : non safeseh, non aslr, non rebase This function will retrieve all stackpivot pointers that will bring you back to nseh in a seh overwrite exploit
Arguments
-
-all: also search outside of loaded modules (optional).
Usage:
Default module criteria : non safeseh, non aslr, non rebase
This function will retrieve all stackpivot pointers that will bring you back to nseh in a seh overwrite exploit
Optional argument:
-all : also search outside of loaded modules
Alias: exchain
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Displays the SEH chain for the current thread. This command will also attempt to display offsets and suggest a payload structure in case a cyclic pattern was used to overwrite the chain.
Arguments
- No documented command-specific arguments.
Usage:
Displays the SEH chain for the current thread.
This command will also attempt to display offsets and suggest a payload structure
in case a cyclic pattern was used to overwrite the chain.
Alias: skel
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Creates a Metasploit exploit module skeleton for a specific type of exploit
Arguments
-
-t <type: arg> : skeletontype. Valid types are : tcpclient:port, udpclient:port, fileformat:extension Examples : -t tcpclient:21 (mandatory). -
-t fileformat: pdf (mandatory). -
-s: size of the cyclic pattern (default : 5000) (optional).
Usage:
Creates a Metasploit exploit module skeleton for a specific type of exploit
Mandatory argument in case you are using WinDBG:
-t <type:arg> : skeletontype. Valid types are :
tcpclient:port, udpclient:port, fileformat:extension
Examples : -t tcpclient:21
-t fileformat:pdf
Optional arguments:
-s : size of the cyclic pattern (default : 5000)
Alias: sp
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Finds stackpivots (move stackpointer to controlled area)
Arguments
- No documented command-specific arguments.
Usage:
Default module criteria : non aslr,non rebase,non os
Optional parameters :
-offset <value> : define the maximum offset for RET instructions (integer, default : 40)
-distance <value> : define the minimum distance for stackpivots (integer, default : 8)
If you want to specify a min and max distance, set the value to min,max
-depth <value> : define the maximum nr of instructions (not ending instruction) in each gadget (integer, default : 6)
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Shows all stacks for each thread in the running application
Arguments
- No documented command-specific arguments.
Usage:
Shows all stacks for each thread in the running application
Alias: str
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Read a string from memory or write a string to memory
Arguments
-
-r: Read a string, use in combination with -a (arguments). -
-w: Write a string, use in combination with -a and -s (arguments). -
-noterminate: Do not terminate the string (using in combination with -w) (arguments). -
-u: use UTF-16 (Unicode) mode (arguments). -
-s <string>: The string to write (arguments). -
-a <address>: The location to read from or write to (arguments).
Usage:
Read a string from memory or write a string to memory
Arguments:
-r : Read a string, use in combination with -a
-w : Write a string, use in combination with -a and -s
-noterminate : Do not terminate the string (using in combination with -w)
-u : use UTF-16 (Unicode) mode
-s <string> : The string to write
-a <address> : The location to read from or write to
Alias: strpos
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Finds the position of the contents at the provided address in the string it is part of.
Arguments
-
-a <address>: address to inspect (arguments).
Usage:
Finds the position of the contents at the provided address in the string it is part of.
Arguments:
-a <address> : address to inspect
The command reads bytes at the given address (4 bytes on 32-bit, 8 bytes on 64-bit)
and checks whether those bytes appear to be part of:
- an ASCII string
- a UTF-16LE / Unicode string made of printable ASCII characters + null bytes
If a string is found, mona will:
- determine whether it is ASCII or Unicode
- walk backwards to find the start of the string
- calculate the offset of the supplied address inside that string
- calculate the full string length in characters and bytes
- show the PTR_SIZE-sized value at the supplied address in string form
Notes:
- this command currently uses the default "all" matching mode
- the address may be a literal address, register, symbol, or expression accepted by getAddyArg()
Examples:
!mona stringpos -a 0x41414141
!mona strpos -a rsp
!mona strpos -a [esp]
Alias: sg
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Suggests an exploit buffer structure based on pointers to a cyclic pattern Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
Arguments
-
-t <type: arg> : skeletontype. Valid types are : tcpclient:port, udpclient:port, fileformat:extension Examples : -t tcpclient:21 (mandatory). -
-t fileformat: pdf (mandatory).
Usage:
Suggests an exploit buffer structure based on pointers to a cyclic pattern
Note : you can use the same options as with pattern_create and pattern_offset in terms of defining the character set to use
Mandatory argument in case you are using WinDBG:
-t <type:arg> : skeletontype. Valid types are :
tcpclient:port, udpclient:port, fileformat:extension
Examples : -t tcpclient:21
-t fileformat:pdf
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Manage symbols: list status, fetch from server, or clean cache.
Arguments
-
-list (-l): Show symbol availability for all modules (arguments). -
-fetch (-f): Download missing symbols from symbol server (arguments). -
-clean (-c): Remove .error files from symbol cache folders (arguments). -
-m <filter>: Filter by module name (supports wildcards) (optional). -
-cm <spec>: Filter by module criteria (e.g. aslr=true,os=false) (optional). -
-o: Exclude OS modules (optional). -
-sort <spec>: Sort output by module base address or other supported sort keys; for example,-sort base+sorts in ascending base-address order (optional). -
-m <filter>: Filter by module name (supports wildcards) (optional). -
-cm <spec>: Filter by module criteria (e.g. aslr=true,os=false) (optional). -
-o: Exclude OS modules (optional). -
-s <index>: Use only server #N from sympath table (see -list) Without -s, tries all configured servers (optional). -
-force: Download symbols via direct HTTP instead of .reload /f If .reload /f fails, falls back to direct HTTP download (optional). -
-p <path/folder>: Remove .error files from this specific folder (default: scan all symbol cache directories) (optional).
Usage:
Manage symbols: list status, fetch from server, or clean cache.
Arguments:
-list (-l) : Show symbol availability for all modules
-fetch (-f) : Download missing symbols from symbol server
-clean (-c) : Remove .error files from symbol cache folders
Optional arguments (for -list):
-m <filter> : Filter by module name (supports wildcards)
-cm <spec> : Filter by module criteria (e.g. aslr=true,os=false)
-o : Exclude OS modules
-sort <spec> : Sort output (base, size, rebase, safeseh, aslr, cfg, nx, os)
e.g. -sort base+ (ascending base address)
Optional arguments (for -fetch):
-m <filter> : Filter by module name (supports wildcards)
-cm <spec> : Filter by module criteria (e.g. aslr=true,os=false)
-o : Exclude OS modules
-s <index> : Use only server #N from sympath table (see -list)
Without -s, tries all configured servers
-force : Download symbols via direct HTTP instead of .reload /f
If .reload /f fails, falls back to direct HTTP download
Optional arguments (for -clean):
-p <path/folder> : Remove .error files from this specific folder
(default: scan all symbol cache directories)
NOTE: -clean will delete files automatically, without asking for confirmation.
Alias: ai
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Ask an AI engine to analyze the current WinDBG debugger context.
Arguments
-
-e <engine>: AI engine to use. If omitted, mona checksmona.ai.enginefirst, thenMONA_AI_ENGINE, and otherwise usesoffline. If the selected default engine has no API key or model configured,tellmefalls back tooffline. Supported values:offline,openai,anthropic. OpenAI requires the OpenAI Python SDK; Anthropic uses direct HTTP in the current implementation. Recent common models: OpenAIgpt-5.5,gpt-5.1,gpt-5-mini,gpt-5-nano; Anthropicclaude-opus-4-7,claude-sonnet-4-6,claude-haiku-4-5. Official model docs: OpenAIhttps://developers.openai.com/api/docs/models; Anthropichttps://platform.claude.com/docs/en/about-claude/models/overview. (optional). -
-model <id>: Optional explicit model override. If specified, this wins over mona.ini and environment variables for the current request. (optional). -
-timeout <s>: Optional per-request timeout in seconds. Use this when larger prompts or slower models time out. (optional). -
-submit: Skip the confirmation prompt and submit the AI request immediately. (optional). -
-q <number>: Required prompt profile.1= analyse the current crash state,2= analyse the currentEIP/RIPfunction plus an optional extra function from-a,9= load a request template from-f <file>. Running-q 1or-q 2also rewritesai.q1orai.q2in the configured working folder if one is set, otherwise next tomona.ini. Those templates are not used automatically; use-q 9 -f <file>to apply one. (mandatory). -
-a <address>: Optional address/register/module!symbol/expression to analyse. With-q 1, this adds an extra heap target. With-q 2, this adds a second function analysis rooted at that location while keeping the liveEIP/RIPfunction as the primary context. (optional). -
-l <files>: Optional comma-separated context files. Files that containalloc()/free()lines are treated as heapdynamics logs; the others are added as supporting context. If no heapdynamics log is supplied, mona still looks forc:\alloc.txt. (optional). -
-d <number>: With-q 2, optional call/jump follow depth for nested target disassembly. Default:1. Maximum:3. (optional). -
-p <file>: Optional PoC/trigger file. Its full contents are added underpoc_file. (optional). -
-f <file>: Required for-q 9. If the file contains[variable]placeholders, mona collects live debugger context and replaces recognized placeholders inline before submitting the prompt. Unrecognized placeholders are reported and left unchanged. If the file already contains a built request (PROMPT BEGIN/PROMPT ENDor a raw prompt withDebugger request JSON:) and no placeholders remain, mona reuses that request body directly instead of rebuilding debugger context. (conditional). -
-offline: Force offline behavior for the current request even when a default engine is configured. Legacy alias:-dryrun. (optional). No provider model lookup or submission happens in offline mode. -
-test: Override the configured model with a lower-cost test model. OpenAI usesgpt-5-nano; Anthropic usesclaude-haiku-4-5. (optional).
Usage:
Ask an AI engine to analyze the current WinDBG debugger context.
Supported engines:
- offline (default when no mona.ini or MONA_AI_ENGINE default is configured; always saves the request without sending it)
- openai (recent common models: gpt-5.5, gpt-5.1, gpt-5-mini, gpt-5-nano; requires the OpenAI Python SDK)
- anthropic (recent common models: claude-opus-4-7, claude-sonnet-4-6, claude-haiku-4-5; Cyber Verification Program approval can reduce friction for legitimate dual-use work on supported Claude surfaces; no Anthropic Python SDK required)
Configuration:
Choose one of these approaches:
1. Store settings in mona.ini:
!mona config -set mona.ai.engine openai
!mona config -set openai.key <your OpenAI API key>
!mona config -set openai.model gpt-5-mini
!mona config -set openai.timeout 90
!mona config -set openai.max_tokens 4096
!mona config -set mona.ai.engine anthropic
!mona config -set anthropic.key <your Anthropic API key>
!mona config -set anthropic.model claude-sonnet-4-6
!mona config -set anthropic.timeout 90
!mona config -set anthropic.max_tokens 4096
2. Or use environment variables instead:
- MONA_AI_ENGINE
- OPENAI_API_KEY
- OPENAI_MODEL
- OPENAI_TIMEOUT
- OPENAI_MAX_TOKENS
- ANTHROPIC_API_KEY
- ANTHROPIC_MODEL
- ANTHROPIC_TIMEOUT
- ANTHROPIC_MAX_TOKENS
Precedence:
If -e is specified, it overrides everything else
If -e is omitted, mona checks mona.ai.engine first, then MONA_AI_ENGINE
If both are present, mona.ini values take precedence over environment variables
For a single request, -model and -timeout override both config and environment values
max_tokens can be controlled via <engine>.max_tokens or the matching environment variable
If neither a default engine nor -e is specified, tellme uses offline as the default engine
If the default engine has no API key or model configured, tellme falls back to offline
-offline still overrules a configured default engine for that one request
Default models:
- OpenAI : gpt-5-mini
- Anthropic: claude-sonnet-4-6
Default timeout:
- 60 seconds per request
Common models:
- OpenAI : gpt-5.5, gpt-5.1, gpt-5-mini, gpt-5-nano
- Anthropic: claude-opus-4-7, claude-sonnet-4-6, claude-haiku-4-5
Official model docs:
- OpenAI : https://developers.openai.com/api/docs/models
- Anthropic: https://platform.claude.com/docs/en/about-claude/models/overview
Arguments:
-e <engine> : AI engine to use: offline, openai, or anthropic.
If omitted, mona checks mona.ai.engine first, then MONA_AI_ENGINE,
and otherwise defaults to offline.
If the selected default engine has no API key or model configured,
tellme also falls back to offline
If you omit -q and a provider engine is configured, tellme prints
the available models visible to that API key instead of submitting a request
-model <id> : Optional explicit model override. If specified, this wins over mona.ini and environment variables
-timeout <s> : Optional per-request timeout in seconds. Use this when larger prompts or slower models time out
For response truncation, increase anthropic.max_tokens or ANTHROPIC_MAX_TOKENS
-maxsize <kb>: Optional q1 request-size target in kilobytes. By default, tellme keeps the larger evidence set
and only reports the final request size. If you set -maxsize, mona will try to reduce lower-priority
evidence to stay within that target and will record any reductions under [omitted_sections]
-submit : Skip the confirmation prompt and submit the AI request immediately
-q <number> : Required. Prompt profile to use:
1 = analyse the current crash state
2 = analyse the current EIP/RIP function, plus an optional extra function from -a
9 = load a request template from -f <file>
Running -q 1 or -q 2 also rewrites ai.q1 or ai.q2 in the working folder if set,
otherwise next to mona.ini
Those template files are not used automatically; use -q 9 -f <file> to apply one
-a <address> : Optional address/register/module!symbol/expression to analyse.
With -q 1, this adds an extra heap target.
With -q 2, this adds a second function analysis rooted at that location,
while still keeping the live EIP/RIP function as the primary context
-l <files> : Optional comma-separated context files, for example -l "file1,file2"
Any file containing alloc()/free() lines is treated as a heapdynamics log
Other files are added as supporting context under [additional_context_files]
If no heapdynamics log is supplied, tellme will still look for c:\\alloc.txt
For -q 1, focused matches are exposed under [heapdynamics] and [heapdynamics_mini]
and the larger raw heapdynamics context remains available under [heapdynamics_full]
unless you explicitly ask mona to shrink the request with -maxsize
-d <number> : With -q 2, optional call/jump follow depth for control_flow_targets.
Default: 1. Maximum: 3.
-p <file> : Optional PoC/trigger file. The full file contents are added under [poc_file]
-f <file> : Required for -q 9.
If the file contains [variable] placeholders, mona resolves them against the debugger context variables below.
If the file already contains a built request (PROMPT BEGIN/PROMPT END or a raw prompt with Debugger request JSON:)
and no placeholders remain, mona reuses that request body directly instead of rebuilding debugger context
-offline : Force offline behavior for this request even when a default engine is configured
-test : Override the configured model with a lower-cost test model
Examples:
!mona tellme -q 1
!mona config -set mona.ai.engine anthropic
!mona tellme -e anthropic -q 2
!mona tellme -e openai -q 2 -a kernel32!CreateFileW
!mona tellme -e openai -q 2 -d 2
!mona tellme -e openai -q 2 -a eip
!mona tellme -e openai -q 1 -l alloc.txt,triage.txt -p poc.py
!mona tellme -e openai -model gpt-5-mini -q 1
!mona tellme -e anthropic -model claude-sonnet-4-6 -q 1
!mona tellme -e openai -q 1 -submit
!mona tellme -e openai -q 1 -timeout 120
!mona tellme -e openai -q 1 -maxsize 300
!mona tellme -e openai -q 9 -f request.txt
!mona tellme -e openai -q 9 -f ai.q1 -l alloc.txt -p poc.py
!mona tellme -e openai -q 9 -f ai.q2 -a kernel32!CreateFileW
!mona tellme -e openai -q 1 -offline
!mona tellme -e openai -q 1 -test
Debugger context variables:
[debugger] = debugger backend name
[processname] = debugged process image name
[architecture] = target architecture
[pointer_size] = pointer width in bytes
[timestamp] = local timestamp when the request was built
[registers] = current register set and values
[program_counter] = current instruction pointer
[stack_pointer] = current stack pointer
[pc_disasm] = current instruction plus nearby disassembly
[pc_module] = module summary for the current instruction pointer
[pc_page] = memory page summary for the current instruction pointer
[stack_page] = memory page summary for the current stack pointer
[pc_memory] = raw bytes near the current instruction pointer
[stack_memory] = raw bytes near the current stack pointer
[modules] = crash-focused module summary used by default for -q 1
[modules_mini] = explicit alias of the compact crash-focused module summary
[modules_full] = full loaded module listing
[call_stack] = WinDBG call stack output
[windbg_analyze] = compact !analyze -v crash summary used by default for -q 1
[windbg_analyze_mini] = explicit alias of the compact !analyze -v crash summary
[windbg_analyze_full] = full raw !analyze -v output
[findmsp] = cyclic-pattern analysis results
[seh_chain] = 32-bit SEH chain summary
[instruction_heap_references] = heap and pointer context related to the current instruction
[heap_details] = heap, segment, VAD, and chunk summary
[heap_analysis_target] = extra heap-focused target from -a when using -q 1
[heapdynamics] = focused heapdynamics matches used by default for -q 1
[heapdynamics_mini] = explicit alias of the focused heapdynamics matches
[heapdynamics_full] = larger raw heapdynamics context, including file-backed evidence when retained
[evidence] = deduplicated shared heap and alloc/free evidence records
[size_budget] = final q1 request size and optional requested -maxsize target
[omitted_sections] = sections dropped or blanked only when mini evidence omits data or -maxsize forces reduction
[additional_context_files] = supporting files from -l that are not heapdynamics logs
[poc_file] = optional PoC/trigger file contents from -p
[analysis_target] = live EIP/RIP address/source used as the primary q2 context
[current_function] = function context for the live EIP/RIP location
[additional_function] = extra q2 function context collected from -a when it differs
[additional_function_note] = note explaining when -a matched the live EIP/RIP location
[function_analyses] = ordered list of q2 function analyses, including invalid-location reports
current_function.control_flow_follow_depth = q2 call/jump follow depth used for nested target analysis
Error variables may also appear when collection fails
For -q 1 and -q 2, the final request sent to the AI uses the structured 'variables' object.
For -q 1 specifically, compact variables are used by default, but larger *_full variables are still kept unless
you explicitly request shrinking with -maxsize.
For -q 9, mona reads the template file and replaces placeholders such as [registers] and [pc_disasm]
with the actual debugger values before submitting the resulting prompt.
Unknown placeholders are reported and left unchanged instead of aborting prompt generation.
Request generation notes:
tellme can always build and save the request file, even if no supported OpenAI or Anthropic SDK is installed
and/or no API key is configured.
That means manual submission is a supported workflow:
you can generate the request file and paste it into ChatGPT, Grok, Claude, or another AI tool yourself.
If you prefer direct API calls from mona instead, install a supported SDK and configure an API key.
Before a live provider request is sent, tellme queries the provider models API and checks whether
the configured model is available to that API key.
Direct API requests ask for confirmation by default.
Add -submit when you want mona to skip that prompt and send the request immediately.
When you run -q 1 or -q 2, mona also rewrites ai.q1 or ai.q2 in the working folder if set,
otherwise in the same folder as mona.ini.
Those files are reusable request templates built with [variable] placeholders instead of live debugger values.
They are provided for inspection or reuse and are not applied automatically during -q 1 or -q 2.
To use one of those templates, run -q 9 -f ai.q1 or -q 9 -f ai.q2.
If the -q 9 file already contains a saved request prompt and no placeholders remain, mona submits that prompt body directly.
With -offline, tellme saves the request file and prints only the saved file path instead of dumping the
full request to the debugger console.
Question notes:
-q 1 focuses on the current crash state, nearby memory, and related heap context.
-q 2 focuses on the function containing the live EIP/RIP location and optionally a second function from -a.
With -q 2, -d controls how many nested call/jump levels mona will follow when collecting target disassembly.
tellme is always registered under WinDBG. If the AI SDK import fails at runtime, mona will report the actual import error instead of hiding the command.
Test model overrides:
- OpenAI : gpt-5-nano
- Anthropic: claude-haiku-4-5
Alias: None
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Show the address of the Thread Environment Block (TEB) for the current thread
Arguments
- No documented command-specific arguments.
Usage:
Show the address of the Thread Environment Block (TEB) for the current thread
Alias: 2bp
Debugger compatibility: β
WinDBG Classic / WinDBGX | π« Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Generate WinDBG syntax to set a logging breakpoint at a given location
Arguments
-
-a <address>: Location (address, register) for logging breakpoint (arguments). -
-e: Execute breakpoint command right away (optional).
Usage:
Generate WinDBG syntax to set a logging breakpoint at a given location
Arguments:
-a <address> : Location (address, register) for logging breakpoint
Optional arguments:
-e : Execute breakpoint command right away
Alias: ua
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | π« x64
Summary
Generates a venetian shellcode alignment stub which can be placed directly before unicode shellcode.
Arguments
-
-a <address>: Specify the address where the alignment code will start/be placed : If -a is not specified, the current value in EIP will be used. (arguments). -
-l: Prepend alignment with a null byte compensating nop equivalent (Use this if the last instruction before the alignment routine 'leaks' a null byte) (arguments). -
-b <reg>: Set the bufferregister, defaults to eax (arguments). -
-t <seconds>: Time in seconds to run heuristics (defaults to 15) (arguments). -
-ebp <value>: Overrule the use of the 'current' value of ebp, ebp/address will be used to calculate offset to shellcode (arguments).
Usage:
Generates a venetian shellcode alignment stub which can be placed directly before unicode shellcode.
Arguments:
-a <address> : Specify the address where the alignment code will start/be placed
: If -a is not specified, the current value in EIP will be used.
-l : Prepend alignment with a null byte compensating nop equivalent
(Use this if the last instruction before the alignment routine 'leaks' a null byte)
-b <reg> : Set the bufferregister, defaults to eax
-t <seconds> : Time in seconds to run heuristics (defaults to 15)
-ebp <value> : Overrule the use of the 'current' value of ebp,
ebp/address will be used to calculate offset to shellcode
Alias: up
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Update mona to the latest version
Arguments
-
-simul: Check for updates and simulate updating. Will show release notes if available. (optional). -
-force: Always overwrite local file(s) with downloaded copy if version/revision info is present. (optional).
Usage:
Update mona to the latest version
Optional argument:
-simul : Check for updates and simulate updating. Will show release notes if available.
-force : Always overwrite local file(s) with downloaded copy if version/revision info is present.
Alias: w
Debugger compatibility: β
WinDBG Classic / WinDBGX | β
Immunity Debugger
Architectures: β
x86 | β
x64
Summary
Write a byte sequence to a memory location.
Arguments
-
-a <address>: the destination address (arguments). -
-s <bytes|asm>: bytes to write (arguments).
Usage:
Write a byte sequence to a memory location.
Arguments:
-a <address> : the destination address
-s <bytes|asm> : bytes to write