airbus-cert / ttddbg Goto Github PK

View Code? Open in Web Editor NEW

547.0 17.0 37.0 28.07 MB

Time Travel Debugging IDA plugin

License: Apache License 2.0

CMake 6.09% C++ 90.46% Hack 3.45%

ida reverse-engineering debugging

ttddbg's Introduction

ttddbg - Time Travel Debugging IDA plugin

⚠️ Attention IDA 8 users: using ttddbg with IDA 8 require a work-around for the moment, see Known issues

This plugin adds a new debugger to IDA which supports loading Time Travel Debugging traces generated using WinDBG Preview.

This plugin supports both x86 and x64 traces, and by extension IDA and IDA64.

Installation

Installing the plugin can be done using the installer from the releases page. The installer will automatically install the required dependencies, provided you have a copy of WinDBG Preview installed.

Usage

Once installed, you can use the plugin by selecting the ttddbg debugger in the IDA interface, and specifying your *.run file as the "Application". For help on generating a .run file, see HOWTO_TIME_TRAVEL.md.

Icon	Action
	Go to previous breakpoint
	Simulate a full run of the program
	Single step backward (RIP - one instruction)
	Manage the timeline of interesting events (Threads Created/Terminated, Module Loaded/Unloaded, Exceptions, Custom)
	Manage the currently traced functions
	View trace events

Function tracing feature

Since version 1.1.0, ttddbg supports a new feature we call "function tracing". While in the debugging view, it is possible to mark functions for tracing by right-clicking them in the Functions or Module interfaces. Once a function is traced, any call to this function, and any return statement, will be recorded in the new Trace events window.

Using the function information from your reverse engineering work, ttddbg also extracts the parameters passed to the function as well as its return value. Symbols are automatically pretty-printed based on the information available to IDA, such as enum values.

Known issues

Using IDA Pro 8.2 and this plugin leads to a crash when entering the debugger. This issue appears to be caused by an incompatibility between this plugin and the picture_search plugin, which is new in IDA 8. Removing picture_search.dll and picture_search64.dll from the plugins folder temporarily fixes this issue. The problem has been raised to Hex-Rays.

Building the project

Prerequisites:

A copy of the IDA SDK (available from the download center using your IDA Pro credentials)
A copy of TTDReplay.dll (usually in C:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\)
A copy of TTDReplayCPU.dll (usually in C:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\)

And let CMAKE do its magic!

$ git clone [email protected]:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DCPACK_PACKAGE_INSTALL_DIRECTORY="IDA Pro 7.7"
$ cmake --build . --target package --config release

Developer corner

To create a dev solution:

$ git clone [email protected]:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON

Credits and references

Greetz to commial for his work on ttd-bindings!

ttddbg's People

Contributors

Stargazers

Watchers

ttddbg's Issues

Improve key bindings

Currently, none of the new actions have any assigned key bindings. Have a look at assigning key bindings similar to the ones for the "normal" operations (F7 for Step Into, F8 for Step Over, F9 for Continue).

If possible, Ctrl+F7 for Single Step Backwards (already bound to Run Until Return, we might have to use Ctrl+F8), Ctrl+F9 for Continue Backwards.

ida8.2sp1 Crash

I have removed the picture_search.dll and picture_search64.dll plug-in, and using your plug-in caused ida to fail to open and crashed all the time.I don't think this is a problem with ida, please find out the reason yourself.
I hope that the plugin can run robustly and not conflict with various plugins.

Continuing backwards does nothing.

This issue relates to the Continue backwards functionality. Clicking on the button does nothing and the current instruction pointer stays the same.

Testing was done on the following:
Ida Pro 7.7
Windows 10
WinDbg engine version: 10.0.25877.1004
WinDbg client version: 1.2306.12001.0

A GIF of the issue is attached below.

Crash when click on timeline and no debugger is selected

When I clicked on the timeline shortcut and no debugger is selected, IDA crashed

Have to step twice when when the debugger is stopped at a breakpoint.

When the debugger is stopped at a certain breakpoint, you have to step twice to step the current instruction. Testing other debuggers such local windows debugger, this behavior does not occur.
I have used the following script in IDA to test the behaviour, similar to what can be found in
ida_installation_folder/python3/examples/debugging/dbghooks/automatic_steps.py

"""
summary: programmatically drive a debugging session

description:
  Start a debugging session, step through the first five
  instructions. Each instruction is disassembled after
  execution.
"""

from __future__ import print_function

import ida_dbg
import ida_ida
import ida_lines

line = 1

class MyDbgHook(ida_dbg.DBG_Hooks):
    """ Own debug hook class that implementd the callback functions """

    def __init__(self):
        ida_dbg.DBG_Hooks.__init__(self) # important
        self.steps = 0

    def log(self, msg):
        print(">>> %s" % msg)

    def dbg_process_start(self, pid, tid, ea, name, base, size):
        self.log("Process started, pid=%d tid=%d name=%s" % (pid, tid, name))

    def dbg_process_exit(self, pid, tid, ea, code):
        self.log("Process exited pid=%d tid=%d ea=0x%x code=%d" % (pid, tid, ea, code))

    def dbg_library_unload(self, pid, tid, ea, info):
        self.log("Library unloaded: pid=%d tid=%d ea=0x%x info=%s" % (pid, tid, ea, info))

    def dbg_process_attach(self, pid, tid, ea, name, base, size):
        self.log("Process attach pid=%d tid=%d ea=0x%x name=%s base=%x size=%x" % (pid, tid, ea, name, base, size))

    def dbg_process_detach(self, pid, tid, ea):
        self.log("Process detached, pid=%d tid=%d ea=0x%x" % (pid, tid, ea))

    def dbg_library_load(self, pid, tid, ea, name, base, size):
        self.log("Library loaded: pid=%d tid=%d name=%s base=%x" % (pid, tid, name, base))

    def dbg_bpt(self, tid, ea):
        self.log("Break point at 0x%x pid=%d" % (ea, tid))
        # return values:
        #   -1 - to display a breakpoint warning dialog
        #        if the process is suspended.
        #    0 - to never display a breakpoint warning dialog.
        #    1 - to always display a breakpoint warning dialog.
        return 0

    def dbg_suspend_process(self):
        self.log("Process suspended")

    def dbg_exception(self, pid, tid, ea, exc_code, exc_can_cont, exc_ea, exc_info):
        self.log("Exception: pid=%d tid=%d ea=0x%x exc_code=0x%x can_continue=%d exc_ea=0x%x exc_info=%s" % (
            pid, tid, ea, exc_code & ida_idaapi.BADADDR, exc_can_cont, exc_ea, exc_info))
        # return values:
        #   -1 - to display an exception warning dialog
        #        if the process is suspended.
        #   0  - to never display an exception warning dialog.
        #   1  - to always display an exception warning dialog.
        return 0

    def dbg_trace(self, tid, ea):
        self.log("Trace tid=%d ea=0x%x" % (tid, ea))
        # return values:
        #   1  - do not log this trace event;
        #   0  - log it
        return 0

    def dbg_step_into(self):
        self.log("Step into")

    def dbg_run_to(self, pid, tid=0, ea=0):
        self.log("Runto: tid=%d, ea=%x" % (tid, ea))

    def dbg_step_over(self):
        global line
        self.log("step over "+str(line))
        line += 1


# Remove an existing debug hook
try:
    if debughook:
        print("Removing previous hook ...")
        debughook.unhook()
except:
    pass

# Install the debug hook
debughook = MyDbgHook()
debughook.hook()

IDA crash

IDA will crash when debugger selected not ttddbg

Menu Debugger - Switch debugger....
In "Select a debugger form...", select a debugger, not ttddbg
Run, debug...
Click on any button of ttddbg toolbar, IDA will crash
Tks

Improve installation and usage

Currently the installer drops the plugin and TTD DLLs into IDA's install folder which requires admin privileges. Besides making the installer unnecessarily IDA version-specific, this can be easily avoided with a couple small improvements:

drop the plugin into the user directory ( %APPDATA%\Hex-Rays\IDA Pro\plugins).
instead of LoadLibrary(TEXT("TTDReplay.dll")) which requires the DLL to be in the DLL search path, use the full path to the DLL in the WinDbg install directory, or, if it's not possible, to the copy in the user directory.

Building?

I am following your instructions to build but to no avail:

C:\Users\elias\Projects\github\ttddbg>cd build

C:\Users\elias\Projects\github\ttddbg\build>cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=%IDASDK% -DBUILD_TESTS=ON
-- Building for: Visual Studio 17 2022
CMake Warning (dev) in CMakeLists.txt:
No project() command is present. The top-level CMakeLists.txt file must
contain a literal, direct call to the project() command. Add a line of
code such as

project(ProjectName)

near the top of the file, but after cmake_minimum_required().

CMake is pretending there is a "project(Project)" command on the first
line.
This warning is for project developers. Use -Wno-dev to suppress it.

CMake Warning (dev) in CMakeLists.txt:
cmake_minimum_required() should be called prior to this top-level project()
call. Please see the cmake-commands(7) manual for usage documentation of
both commands.
This warning is for project developers. Use -Wno-dev to suppress it.

-- Selecting Windows SDK version 10.0.22621.0 to target Windows 10.0.19045.
-- The C compiler identification is MSVC 19.38.33133.0
-- The CXX compiler identification is MSVC 19.38.33133.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/Microsoft Visual Studio/2022/Professional/VC/Tools/MSVC/14.38.33130/bin/Hostx64/x64/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/Microsoft Visual Studio/2022/Professional/VC/Tools/MSVC/14.38.33130/bin/Hostx64/x64/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
CMake Warning at CMakeLists.txt:5 (find_package):
By not providing "FindIdaSdk.cmake" in CMAKE_MODULE_PATH this project has
asked CMake to find a package configuration file provided by "IdaSdk", but
CMake did not find one.

Could not find a package configuration file provided by "IdaSdk" with any
of the following names:

IdaSdkConfig.cmake
idasdk-config.cmake

Add the installation prefix of "IdaSdk" to CMAKE_PREFIX_PATH or set
"IdaSdk_DIR" to a directory containing one of the above files. If "IdaSdk"
provides a separate development package or SDK, be sure it has been
installed.

CMake Warning (dev) in CMakeLists.txt:
No cmake_minimum_required command is present. A line of code such as

cmake_minimum_required(VERSION 3.28)

should be added at the top of the file. The version specified may be lower
if you wish to support older CMake versions for this project. For more
information run "cmake --help-policy CMP0000".
This warning is for project developers. Use -Wno-dev to suppress it.

-- Configuring done (3.8s)
-- Generating done (0.1s)
CMake Warning:
Manually-specified variables were not used by the project:

BUILD_TESTS
IDA_SDK_SOURCE_DIR

-- Build files have been written to: C:/Users/elias/Projects/github/ttddbg/build

C:\Users\elias\Projects\github\ttddbg\build>

Ida complains about unknown debugger breakpoint

Whenever I use the plugin I get a message like this:

Maybe using PROCESS_SUSPENDED instead of BREAKPOINT in onStartProcess would solve the problem?

Crash when I tried to insert an event in timeline, but not inthe running mode

If I tried to insert event in timeline when I'm not in running mode, IDA crashed