Awesome
ttddbg - Time Travel Debugging IDA plugin
⚠️ Attention IDA 8 users: using ttddbg with IDA 8 require a work-around for the moment, see Known issues
This plugin adds a new debugger to IDA which supports loading Time Travel Debugging traces generated using WinDBG Preview.
This plugin supports both x86 and x64 traces, and by extension IDA and IDA64.
Installation
Installing the plugin can be done using the installer from the releases page. The installer will automatically install the required dependencies, provided you have a copy of WinDBG Preview installed.
Usage
Once installed, you can use the plugin by selecting the ttddbg debugger in the IDA interface, and specifying your *.run file as the "Application". For help on generating a .run file, see HOWTO_TIME_TRAVEL.md.
| Icon | Action |
|---|---|
 | Go to previous breakpoint |
 | Simulate a full run of the program |
 | Single step backward (RIP - one instruction) |
 | Manage the timeline of interesting events (Threads Created/Terminated, Module Loaded/Unloaded, Exceptions, Custom) |
 | Manage the currently traced functions |
 | View trace events |
Function tracing feature
Since version 1.1.0, ttddbg supports a new feature we call "function tracing". While in the debugging view, it is possible to mark functions for tracing by right-clicking them in the Functions or Module interfaces. Once a function is traced, any call to this function, and any return statement, will be recorded in the new Trace events window.
Using the function information from your reverse engineering work, ttddbg also extracts the parameters passed to the function as well as its return value. Symbols are automatically pretty-printed based on the information available to IDA, such as enum values.
Known issues
- Using IDA Pro 8.2 and this plugin leads to a crash when entering the debugger. This issue appears to be caused by an incompatibility between this plugin and the
picture_searchplugin, which is new in IDA 8. Removingpicture_search.dllandpicture_search64.dllfrom thepluginsfolder temporarily fixes this issue. The problem has been raised to Hex-Rays.
Building the project
Prerequisites:
- A copy of the IDA SDK (available from the download center using your IDA Pro credentials)
- A copy of
TTDReplay.dll(usually inC:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\) - A copy of
TTDReplayCPU.dll(usually inC:\Program Files\WindowsApps\[WinDBG folder]\amd64\ttd\)
And let CMAKE do its magic!
$ git clone git@github.com:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DCPACK_PACKAGE_INSTALL_DIRECTORY="IDA Pro 7.7"
$ cmake --build . --target package --config release
Developer corner
To create a dev solution:
$ git clone git@github.com:airbus-cert/ttddbg.git --recursive
$ mkdir build
$ cd build
$ cmake ..\ttddbg -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON
Credits and references
Greetz to commial for his work on ttd-bindings!