Original address: www.trustwave.com/en-us/resou…

Original author:

Release date: January 9, 2020

Introduction to the

Hi, my friends! How are you? Hope you have a very good holiday and lots of love for everyone! Is it time to start 2020? Now is a good time to write WinDBG’s TTD (time travel debugging) feature. For those unfamiliar with the series, you can check out part 1, where I set up the Windows remote kernel debugging environment, and part 2, where I wrote some basic commands for WinDBG. This will be a quick article, but since it is a very useful tool resource, I think it is indispensable to introduce us to the use of Windows.

An overview of the

As the name suggests, Microsoft implemented a feature in the WinDBG Preview that allows the debugger to travel through time. From Microsoft.

“Time travel debugging is a tool that allows you to record the execution of your process and then play it back and forward later. Time travel debugging (TTD) helps you debug problems more easily, allowing you to “rewind” your debugging session rather than replay the problem until you find the error.

So what does this mean? Often we can start debugging an application from where we can set breakpoints and then stop execution for analysis, but we don’t really know where it ends. With this tool, the entire execution will be recorded (in a file on disk) and we will be able to browse through the execution from end to beginning.

For example, if there is a crash during execution, you will be able to browse during execution to see what went wrong, causing an unexpected stop after the crash. Often, we can determine the last function executed before a crash, but that does not mean that execution is the source of the problem. With TTD, we can look back and examine where the data that caused the problem came from.

demonstration

Working with TTD using the binary of H2HC CTF that we already mentioned in the last article — in fact, I do use TTD to solve this puzzle.

Start WinDBG as an administrator (required with TTD), go to start debugging, and then start the executable (advanced).

Figure 1 – Start the executable

Browse the location of the binary and mark the box “debug records with time travel”. Will ask you where you want to keep your records.

Figure 2 – Where to save the TTD file

You can also attach to an existing process and enable TTD.

Start the H2HC binary challenge.

[+] H2HC - 16th Edition challenge
[+] Server listening
[+] Waiting for H2HC evil connections
Copy the code

I’ll let the reverse engineering work in another blog post, but for now, you need to know that this service is waiting for a connection to port 54345/TCP. Using the correct data, we will crash the binary, and then we can click “Stop and debug”. Now we can open the file (Start debugging > Open Trace File) and we will have the entire execution flow for us to analyze.

Microsoft Windows Debugger Version 10.0.19528.1000 AMD64 Copyright (C) Microsoft Corporation. All rights Reserved. Loading Dump File [C:\Users\mphx2\Documents\h2hc01.run] JavaScript script successfully loaded from'C:\Program Files \ WindowsApps \ Microsoft. WinDbg_1. 1912.11001.0 _neutral__8wekyb3d8bbwe, amd64, TDD, Analyzers \ HeapAnalysis js'

JavaScript script successfully loaded from 'C: \ Program Files \ WindowsApps \ Microsoft WinDbg_1. 1912.11001.0 _neutral__8wekyb3d8bbwe, amd64, TDD, Analyzers \ TtdAnalyze js'************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: ModLoad: 00007ff7`3f9f0000 00007ff7`3fa04000 C:\Users\mphx2\Desktop\H2HC_CTF_2019\xpl_to_distribute\h2hc.exe ModLoad: 00007ffc`ac840000 00007ffc`aca1a000 C:\ProgramData\Microsoft\Windbg\1-1912-11001\TTD\TTDRecordCPU.dll ModLoad: 00007ffc`cb970000 00007ffc`cb984000 C:\Program Files\AVAST Software\Avast\aswhook.dll ModLoad: 00007ffc`dd6e0000 00007ffc`dd76f000 C:\WINDOWS\SYSTEM32\apphelp.dll ModLoad: 00007ffc`df750000 00007ffc`df9f3000 C:\WINDOWS\System32\KERNELBASE.dll ModLoad: 00007ffc`e1280000 00007ffc`e13a0000 C:\WINDOWS\System32\RPCRT4.dll ModLoad: 00007ffc`e1e30000 00007ffc`e1ee2000 C:\WINDOWS\System32\KERNEL32.DLL ModLoad: 00007ffc`e2310000 00007ffc`e237f000 C:\WINDOWS\System32\WS2_32.dll ModLoad: 00007ffc`e2540000 00007ffc`e2730000 C:\WINDOWS\SYSTEM32\ntdll.dll ......... (1f20.fc0): Break instruction exception - code 80000003 (first/second chance not available) Time Travel Position: F:0 [Unindexed] Index ! index Indexed 2/2 keyframes Successfully created the indexinMicrosoft (R) Windows Debugger Version 10.0.19528.1000 AMD64 Copyright (C) Microsoft Corporation. All Rights reserved. Loading Dump File [C:\Users\mphx2\Documents\h2hc01.run] JavaScript script successfully loaded from'C:\Program Files \ WindowsApps \ Microsoft. WinDbg_1. 1912.11001.0 _neutral__8wekyb3d8bbwe, amd64, TDD, Analyzers \ HeapAnalysis js'

JavaScript script successfully loaded from 'C: \ Program Files \ WindowsApps \ Microsoft WinDbg_1. 1912.11001.0 _neutral__8wekyb3d8bbwe, amd64, TDD, Analyzers \ TtdAnalyze js'************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: ModLoad: 00007ff7`3f9f0000 00007ff7`3fa04000 C:\Users\mphx2\Desktop\H2HC_CTF_2019\xpl_to_distribute\h2hc.exe ModLoad: 00007ffc`ac840000 00007ffc`aca1a000 C:\ProgramData\Microsoft\Windbg\1-1912-11001\TTD\TTDRecordCPU.dll ModLoad: 00007ffc`cb970000 00007ffc`cb984000 C:\Program Files\AVAST Software\Avast\aswhook.dll ModLoad: 00007ffc`dd6e0000 00007ffc`dd76f000 C:\WINDOWS\SYSTEM32\apphelp.dll ModLoad: 00007ffc`df750000 00007ffc`df9f3000 C:\WINDOWS\System32\KERNELBASE.dll ModLoad: 00007ffc`e1280000 00007ffc`e13a0000 C:\WINDOWS\System32\RPCRT4.dll ModLoad: 00007ffc`e1e30000 00007ffc`e1ee2000 C:\WINDOWS\System32\KERNEL32.DLL ModLoad: 00007ffc`e2310000 00007ffc`e237f000 C:\WINDOWS\System32\WS2_32.dll ModLoad: 00007ffc`e2540000 00007ffc`e2730000 C:\WINDOWS\SYSTEM32\ntdll.dll ......... (1f20.fc0): Break instruction exception - code 80000003 (first/second chance not available) Time Travel Position: F:0ntdll! LdrInitializeThunk: 00007ffc`e25b17f0 4053 push rbx 0:000>Copy the code

It starts with execution, and then we can use all the commands in WinDBG to increase the resources for time travel debugging. Backward, we can use the same command as forward (g, t, p, etc.) with a hyphen. Go to the end of the execution.

0:000> g ModLoad: 00007ffc`dec20000 00007ffc`dec87000 C:\WINDOWS\system32\mswsock.dll (1f20.fc0): Access violation - code c0000005 (first/second chance not available) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Time Travel Position: 979:0 00000000`00000000 ?? ?????Copy the code

As we can see, execution ends at a NULL pointer. From the end of the current process, we can move back and analyze.

0:000> t- Time Travel Position: 951:24 00000000`00000000 ?? ????? 0:000> *** WARNING: Unable to verify checksumforh2hc.exe Time Travel Position: 951:23 h2hc+0x1476: 00007ff7`3f9f1476 c3 ret 0:000> Time Travel Position: 951:22 h2hc+0x146f: 00007ff7`3f9f146f 4881c448010000 add rsp,148h 0:000> dqs rsp+0x148 00000000`001ff978 00000000`00000000 00000000`001ff980  00000000`0000010c 00000000`001ff988 00000000`00000100 [..]Copy the code

At H2HC+ 0x146F, it will be added 0x148 bytes to register RSP, this address will be the return point, and now we know it will be pointed to the NULL pointer where our binary crashed. We can also determine the stack address 00000000 ‘001FF978. This is where the problem arises. Let’s focus on this address.

0:000> t- Time Travel Position: 951:21 h2hc+0x1098: 00007ff7`3f9f1098 c3 ret 0:000> Time Travel Position: 951:20 h2hc+0x1091: 00007ff7`3f9f1091 4881c418020000 add rsp,218h 0:000> Time Travel Position: 951:1F h2hc+0x108b: 00007ff7`3f9f108b 880523d50000 mov byte ptr [h2hc+0xe5b4 (00007ff7`3f9fe5b4)],al ds:00007ff7`3f9fe5b4=00 0:000> Time Travel Position: 951:1E h2hc+0x1089: 00007ff7`3f9f1089 fec8 dec al 0:000> Time Travel Position: 951:1D h2hc+0x1082: 00007ff7`3f9f1082 0fb6052bd50000 movzx eax,byte ptr [h2hc+0xe5b4 (00007ff7`3f9fe5b4)] ds:00007ff7`3f9fe5b4=00 0:000> Time Travel Position: 951:1C h2hc+0x107e: 00007ff7`3f9f107e 488948f8 mov qword ptr [rax-8],rcx ds:00000000`001ff978=0000000000000000 0:000> dqs rcx 00000000 ` 00000000???????????? `????????Copy the code

Here, the application is moving data from RCX (0x0) to the address of RAx-0x8, the attention address on the stack. We now know that the NULL pointer comes from this instruction.

For further debugging, we can still go backwards.

0:000> t- Time Travel Position: 951:1B h2hc+0x107a: 00007ff7`3f9f107a 488b0c24 mov rcx,qword ptr [rsp] ss:00000000`001ff610=0000000000000000 0:000> t- Time Travel Position:  951:1A h2hc+0x1072: 00007ff7`3f9f1072 488b842420020000 mov rax,qword ptr [rsp+220h] ss:00000000`001ff830=00000000001ff980 0:000> Time Travel  Position: 951:19 h2hc+0x106e: 00007ff7`3f9f106e 48890424 mov qword ptr [rsp],rax ss:00000000`001ff610=0000000000000000 0:000> Time Travel Position: 951:18 h2hc+0x106a: 00007ff7`3f9f106a 488b04c1 mov rax,qword ptr [rcx+rax*8] ds:00007ff7`3f9fe5b8=0000000000000000 0:000> dqs 00007ff7`3f9fe5b8 00007ff7`3f9fe5b8 00000000`00000000 00007ff7`3f9fe5c0 00007ff7`3f9f1a6b h2hc+0x1a6b 00007ff7`3f9fe5c8 00007ff7`3f9f165d h2hc+0x165dCopy the code

So looking at the data, we can see that the NULL pointer does originate from 00007FF7 ‘3F9FE5b8.

For testing purposes, if we break h2HC +0x1063 and modify the data on a specific address.

Breakpoint 0 hit
h2hc+0x1063:
00007ff7`3f9f1063 488d0d4ed50000 lea rcx,[h2hc+0xe5b8 (00007ff7`3f9fe5b8)]
0:000> eq 00007ff7`3f9fe5b8 0x4141414141414141
Copy the code

And then we go ahead and execute.

(1418.2 bc8 0:00 0 > g) : Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This  exception may be expected and handled. h2hc+0x1476: 00007ff7`3f9f1476 c3 retCopy the code

We have a different exception, check the stack frame.

00 41414141`41414141 : 00000000`000000d8 00000000`00000100 00000000`00eff3d8 00000000`00eff450 : h2hc+0x1476
01 00000000`000000d8 : 00000000`00000100 00000000`00eff3d8 00000000`00eff450 00000000`00000008 : 0x41414141`41414141
02 00000000`00000100 : 00000000`00eff3d8 00000000`00eff450 00000000`00000008 00000100`43483248 : 0xd8
Copy the code

Now the return point is the value we defined.

It takes more debugging to discover the real root of the problem, but we can already discern the data at execution time. I won’t address this issue here, because I’ll devote an entire article to it in the future.

conclusion

As demonstrated, this tool can be a very useful and important tool during analysis. It also helps with team contributions because you can share saved files with anyone for analysis. This feature is pretty straightforward and nothing mysterious, but let me know if you have any questions.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Part THREE: WinDBG time travel debugging

Introduction to the

An overview of the

demonstration

conclusion

Part THREE: WinDBG time travel debugging

Introduction to the

An overview of the

demonstration

conclusion

Related Posts

Talk about Webpack hot update and how it works

Cross-domain -Vue-Cli Configure proxy forwarding

IOS + PWA is here, are you coming?