• Stars
    star
    551
  • Rank 80,726 (Top 2 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Time Travel Debugging IDA plugin

ttddbg - Time Travel Debugging IDA plugin

⚠️ Attention IDA 8 users: using ttddbg with IDA 8 require a work-around for the moment, see Known issues

This plugin adds a new debugger to IDA which supports loading Time Travel Debugging traces generated using WinDBG Preview.

ttddbg main window

This plugin supports both x86 and x64 traces, and by extension IDA and IDA64.

Installation

Installing the plugin can be done using the installer from the releases page. The installer will automatically install the required dependencies, provided you have a copy of WinDBG Preview installed.

Usage

Once installed, you can use the plugin by selecting the ttddbg debugger in the IDA interface, and specifying your *.run file as the "Application". For help on generating a .run file, see HOWTO_TIME_TRAVEL.md.

ttddbg debugger

ttdbg debugger setup

Icon Action
backward_icon Go to previous breakpoint
full run icon Simulate a full run of the program
single_step_icon Single step backward (RIP - one instruction)
timeline_icon Manage the timeline of interesting events (Threads Created/Terminated, Module Loaded/Unloaded, Exceptions, Custom)
traced functions icon Manage the currently traced functions
trace events icon View trace events

Function tracing feature

Since version 1.1.0, ttddbg supports a new feature we call "function tracing". While in the debugging view, it is possible to mark functions for tracing by right-clicking them in the Functions or Module interfaces. Once a function is traced, any call to this function, and any return statement, will be recorded in the new Trace events window.

Using the function information from your reverse engineering work, ttddbg also extracts the parameters passed to the function as well as its return value. Symbols are automatically pretty-printed based on the information available to IDA, such as enum values.

Known issues

  • Using IDA Pro 8.2 and this plugin leads to a crash when entering the debugger. This issue appears to be caused by an incompatibility between this plugin and the picture_search plugin, which is new in IDA 8. Removing picture_search.dll and picture_search64.dll from the plugins folder temporarily fixes this issue. The problem has been raised to Hex-Rays.

Building the project

Prerequisites:

  • A copy of the IDA SDK (available from the download center using your IDA Pro credentials)
  • A copy of TTDReplay.dll (usually in C:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\)
  • A copy of TTDReplayCPU.dll (usually in C:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\)

And let CMAKE do its magic!

$ git clone [email protected]:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DCPACK_PACKAGE_INSTALL_DIRECTORY="IDA Pro 7.7"
$ cmake --build . --target package --config release

Developer corner

To create a dev solution:

$ git clone [email protected]:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON

Credits and references

Greetz to commial for his work on ttd-bindings!

More Repositories

1

Winshark

A wireshark plugin to instrument ETW
Lua
527
star
2

Yagi

Yet Another Ghidra Integration for IDA
C++
480
star
3

Invoke-Bof

Load any Beacon Object File using Powershell!
PowerShell
245
star
4

comida

An IDA Plugin that help analyzing module that use COM
Python
198
star
5

regrippy

A modern Python-3-based alternative to RegRipper
Python
184
star
6

etl-parser

Event Trace Log file parser in pure Python
Python
132
star
7

yara-ttd

Use YARA rules on Time Travel Debugging traces
C
86
star
8

vbSparkle

VBScript & VBA source-to-source deobfuscator with partial-evaluation
C#
72
star
9

ntTraceControl

Powershell Event Tracing Toolbox
PowerShell
72
star
10

CVE-2024-4040

Scanner for CVE-2024-4040
Python
50
star
11

etwbreaker

An IDA plugin to deal with Event Tracing for Windows (ETW)
Python
49
star
12

minusone

Powershell Linter
Rust
46
star
13

PSTrace

Trace ScriptBlock execution for powershell v2
C
39
star
14

tree-sitter-powershell

Powershell grammar for tree-sitter
JavaScript
36
star
15

dnYara

A multi-platform .Net wrapper library for the native Yara library.
C#
35
star
16

timeliner

A rewrite of mactime, a bodyfile reader
Go
34
star
17

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.
C#
30
star
18

cacdec

The hidden mstsc recorder player
Python
28
star
19

ttd2mdmp

Extract data of TTD trace file to a minidump
C++
28
star
20

dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847
C
27
star
21

mispy

Another MISP module for Python
Python
17
star
22

mispgo

Golang library for MISP
Go
5
star
23

usnrs

USN Journal parsing software and library
Rust
5
star
24

bodyfile

A bodyfile parsing library
Go
3
star
25

nix-forensics

Reproducible forensics environment, 100% of the time
Nix
3
star
26

skyblue.team

Our website
HTML
1
star