search

mandiant / VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
Apache License 2.0
140 stars 62 forks source link

Add Windows Time Travel Debugging Cli #965

Closed schrodyn closed 3 months ago

schrodyn commented 6 months ago

Details

Microsoft ships a standalone utility to collect time travel debugging traces. Information is available here https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util

This allows a person to collect a trace without the WinDBG GUI. I think this would be a great addition to the FLARE-VM builds.

The documentation provides a Powershell script that could be easily integrated into the FLARE-VM builds. https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#download-the-ttdexe-command-line-utility-package-and-extract-the-files-manually

Ana06 commented 6 months ago

I think this would be a great addition, thank you for opening this issue!

It looks like we do not have a link which includes the version. Which means the download will change and we can't use the hash for the installation. We would need to use the VM-Assert-Signature as we do in sysinternals and googlechrome, which is a bit more elaborate as we can't use automation to create the packages in this case. @schrodyn a PR would be much appreciated.

Do we know which version the linked PorwerShell script uses? We would need to check we can use that code if we need to use that script.

schrodyn commented 6 months ago

Not sure if this helps. There is a versioned msxi bundle that can be downloaded, the URL for it lives inside the TTP.appinstaler file. This could be downloaded and the file TTD-x64.msix extracted from it and instaleld by FLARE-VM.

Downloading TTD.appinstaller

[quack (13:43) Windows]
➜ wget https://aka.ms/ttd/download
--2024-04-04 13:44:36--  https://aka.ms/ttd/download
Resolving aka.ms (aka.ms)... 23.54.202.151
Connecting to aka.ms (aka.ms)|23.54.202.151|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller [following]
--2024-04-04 13:44:37--  https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller
Resolving windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)... 152.199.21.175
Connecting to windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)|152.199.21.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 661 [application/octet-stream]
Saving to: ‘download’

download                                                        100%[=====================================================================================================================================================>]     661  --.-KB/s    in 0s

2024-04-04 13:44:37 (14.3 MB/s) - ‘download’ saved [661/661]

Contents of TTD.appinstaller

[quack (13:44) Windows]
➜ cat download
<?xml version="1.0" encoding="utf-8"?>
<AppInstaller Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller" Version="1.11.319.0" xmlns="http://schemas.microsoft.com/appx/appinstaller/2018">
  <MainBundle Name="Microsoft.TimeTravelDebugging" Version="1.11.319.0"
    Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
    Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle" />
  <UpdateSettings>
    <OnLaunch/>
    <AutomaticBackgroundTask/>
    <ForceUpdateFromAnyVersion>true</ForceUpdateFromAnyVersion>
  </UpdateSettings>
</AppInstaller>
[quack (13:44) Windows]

Download versioned URL of TTD.msixbundle

➜ wget https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle
--2024-04-04 13:44:50--  https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle
Resolving windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)... 152.199.21.175
Connecting to windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)|152.199.21.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6884033 (6.6M) [application/octet-stream]
Saving to: ‘TTD.msixbundle’

TTD.msixbundle                                                  100%[=====================================================================================================================================================>]   6.56M  19.1MB/s    in 0.3s

2024-04-04 13:44:50 (19.1 MB/s) - ‘TTD.msixbundle’ saved [6884033/6884033]

sha256sum

[quack (13:44) Windows]
➜ sha256sum TTD.msixbundle
f7b80731c3a6994b3763c4100073b101965327d6556fa4bfb553d70ce49be366  TTD.msixbundle

Contents of archive

[quack (13:44) Windows]
➜ file TTD.msixbundle
TTD.msixbundle: Zip archive data, at least v4.5 to extract, compression method=store
[quack (13:44) Windows]
➜ 7z l TTD.msixbundle

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)

Scanning the drive for archives:
1 file, 6884033 bytes (6723 KiB)

Listing archive: TTD.msixbundle

--
Path = TTD.msixbundle
Type = zip
Physical Size = 6884033
64-bit = +
Characteristics = Zip64

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-02-08 17:11:12 .....      2173552      2173552  TTD-ARM64.msix
2024-02-08 17:11:18 .....      2723020      2723020  TTD-x64.msix
2024-02-08 17:11:26 .....      1978355      1978355  TTD-x86.msix
2024-02-08 17:11:26 .....         1579          511  AppxMetadata/AppxBundleManifest.xml
2024-02-08 17:11:26 .....          338          271  AppxBlockMap.xml
2024-02-08 17:11:26 .....          469          248  [Content_Types].xml
2024-02-08 17:11:28 .....        10305         7076  AppxSignature.p7x
------------------- ----- ------------ ------------  ------------------------
2024-02-08 17:11:28            6887618      6883033  7 files
[quack (13:44) Windows]

Extract TTD msixbundle

➜ 7z x -oTTD_extracted TTD.msixbundle

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)

Scanning the drive for archives:
1 file, 6884033 bytes (6723 KiB)

Extracting archive: TTD.msixbundle
--
Path = TTD.msixbundle
Type = zip
Physical Size = 6884033
64-bit = +
Characteristics = Zip64

Everything is Ok

Files: 7
Size:       6887618
Compressed: 6884033
[quack (13:45) Windows]
➜ file TTD_extracted/TTD-x64.msix
TTD_extracted/TTD-x64.msix: Zip archive data, at least v4.5 to extract, compression method=deflate

Extract Time Travel Debug Cli

This is what would be needed extractde into a VM for users and added to the system PATH.

[quack (13:45) Windows]
➜ 7z l TTD_extracted/TTD-x64.msix

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)

Scanning the drive for archives:
1 file, 2723020 bytes (2660 KiB)

Listing archive: TTD_extracted/TTD-x64.msix

--
Path = TTD_extracted/TTD-x64.msix
Type = zip
Physical Size = 2723020
64-bit = +
Characteristics = Zip64

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2024-02-09 01:08:32 .....        43048        15354  x86/TTDLoader.dll
2024-02-09 01:08:32 .....        59440        22597  x86/TTDLiveRecorder.dll
2024-02-09 01:08:32 .....       251944       116546  x86/TTDInject.exe
2024-02-09 01:08:32 .....      1128488       338278  x86/TTDRecordCPU.dll
2024-02-09 01:08:32 .....        55336        15720  TTDLoader.dll
2024-02-09 01:08:32 .....        79240        24103  ProcLaunchMon.sys
2024-02-09 01:08:32 .....        59328        23740  TTDLiveRecorder.dll
2024-02-09 01:08:32 .....       112576        42529  TTD.exe
2024-02-09 01:08:32 .....        63424        23989  TTDRecordUI.dll
2024-02-09 01:08:32 .....       890816       387436  TTDRecord.dll
2024-02-09 01:08:32 .....      1218496       346347  TTDRecordCPU.dll
2024-02-09 01:08:32 .....       313280       137305  TTDInject.exe
2024-02-09 01:08:32 .....      2627520       712431  TTDReplayCPU.dll
2024-02-09 01:08:32 .....      1222592       491066  TTDReplay.dll
2024-02-09 01:08:32 .....         1856          757  resources.pri
2024-02-09 01:08:32 .....         2507          833  AppxManifest.xml
2024-02-09 01:08:32 .....        11409         5998  AppxBlockMap.xml
2024-02-09 01:08:32 .....          755          300  [Content_Types].xml
2024-02-09 01:08:32 .....        12945         7899  AppxMetadata/CodeIntegrity.cat
2024-02-08 17:11:18 .....        10344         7106  AppxSignature.p7x
------------------- ----- ------------ ------------  ------------------------
2024-02-09 01:08:32            8165344      2720334  20 files
[quack (13:45) Windows]
schrodyn commented 5 months ago

I was looking at the install script for WingDBG which handles installing WinDBG through the appinstaller. It's likely then that TTD could be installed through the same process?

https://github.com/mandiant/VM-Packages/blob/main/packages/windbg.vm/tools/chocolateyinstall.ps1

Current URL for the TTD appinstaller, https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller

naacbin commented 3 months ago

I think it would be better to add it using the msixbundle, to check the hash as for WinDbg (check PR #1058).

The required URL are provided in winget