Closed schrodyn closed 3 months ago
I think this would be a great addition, thank you for opening this issue!
It looks like we do not have a link which includes the version. Which means the download will change and we can't use the hash for the installation. We would need to use the VM-Assert-Signature
as we do in sysinternals and googlechrome, which is a bit more elaborate as we can't use automation to create the packages in this case. @schrodyn a PR would be much appreciated.
Do we know which version the linked PorwerShell script uses? We would need to check we can use that code if we need to use that script.
Not sure if this helps. There is a versioned msxi bundle that can be downloaded, the URL for it lives inside the TTP.appinstaler file. This could be downloaded and the file TTD-x64.msix extracted from it and instaleld by FLARE-VM.
[quack (13:43) Windows]
➜ wget https://aka.ms/ttd/download
--2024-04-04 13:44:36-- https://aka.ms/ttd/download
Resolving aka.ms (aka.ms)... 23.54.202.151
Connecting to aka.ms (aka.ms)|23.54.202.151|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller [following]
--2024-04-04 13:44:37-- https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller
Resolving windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)... 152.199.21.175
Connecting to windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)|152.199.21.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 661 [application/octet-stream]
Saving to: ‘download’
download 100%[=====================================================================================================================================================>] 661 --.-KB/s in 0s
2024-04-04 13:44:37 (14.3 MB/s) - ‘download’ saved [661/661]
[quack (13:44) Windows]
➜ cat download
<?xml version="1.0" encoding="utf-8"?>
<AppInstaller Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller" Version="1.11.319.0" xmlns="http://schemas.microsoft.com/appx/appinstaller/2018">
<MainBundle Name="Microsoft.TimeTravelDebugging" Version="1.11.319.0"
Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle" />
<UpdateSettings>
<OnLaunch/>
<AutomaticBackgroundTask/>
<ForceUpdateFromAnyVersion>true</ForceUpdateFromAnyVersion>
</UpdateSettings>
</AppInstaller>
[quack (13:44) Windows]
➜ wget https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle
--2024-04-04 13:44:50-- https://windbg.download.prss.microsoft.com/dbazure/prod/1-11-319-0/TTD.msixbundle
Resolving windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)... 152.199.21.175
Connecting to windbg.download.prss.microsoft.com (windbg.download.prss.microsoft.com)|152.199.21.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6884033 (6.6M) [application/octet-stream]
Saving to: ‘TTD.msixbundle’
TTD.msixbundle 100%[=====================================================================================================================================================>] 6.56M 19.1MB/s in 0.3s
2024-04-04 13:44:50 (19.1 MB/s) - ‘TTD.msixbundle’ saved [6884033/6884033]
[quack (13:44) Windows]
➜ sha256sum TTD.msixbundle
f7b80731c3a6994b3763c4100073b101965327d6556fa4bfb553d70ce49be366 TTD.msixbundle
[quack (13:44) Windows]
➜ file TTD.msixbundle
TTD.msixbundle: Zip archive data, at least v4.5 to extract, compression method=store
[quack (13:44) Windows]
➜ 7z l TTD.msixbundle
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)
Scanning the drive for archives:
1 file, 6884033 bytes (6723 KiB)
Listing archive: TTD.msixbundle
--
Path = TTD.msixbundle
Type = zip
Physical Size = 6884033
64-bit = +
Characteristics = Zip64
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2024-02-08 17:11:12 ..... 2173552 2173552 TTD-ARM64.msix
2024-02-08 17:11:18 ..... 2723020 2723020 TTD-x64.msix
2024-02-08 17:11:26 ..... 1978355 1978355 TTD-x86.msix
2024-02-08 17:11:26 ..... 1579 511 AppxMetadata/AppxBundleManifest.xml
2024-02-08 17:11:26 ..... 338 271 AppxBlockMap.xml
2024-02-08 17:11:26 ..... 469 248 [Content_Types].xml
2024-02-08 17:11:28 ..... 10305 7076 AppxSignature.p7x
------------------- ----- ------------ ------------ ------------------------
2024-02-08 17:11:28 6887618 6883033 7 files
[quack (13:44) Windows]
➜ 7z x -oTTD_extracted TTD.msixbundle
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)
Scanning the drive for archives:
1 file, 6884033 bytes (6723 KiB)
Extracting archive: TTD.msixbundle
--
Path = TTD.msixbundle
Type = zip
Physical Size = 6884033
64-bit = +
Characteristics = Zip64
Everything is Ok
Files: 7
Size: 6887618
Compressed: 6884033
[quack (13:45) Windows]
➜ file TTD_extracted/TTD-x64.msix
TTD_extracted/TTD-x64.msix: Zip archive data, at least v4.5 to extract, compression method=deflate
This is what would be needed extractde into a VM for users and added to the system PATH.
[quack (13:45) Windows]
➜ 7z l TTD_extracted/TTD-x64.msix
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)
Scanning the drive for archives:
1 file, 2723020 bytes (2660 KiB)
Listing archive: TTD_extracted/TTD-x64.msix
--
Path = TTD_extracted/TTD-x64.msix
Type = zip
Physical Size = 2723020
64-bit = +
Characteristics = Zip64
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2024-02-09 01:08:32 ..... 43048 15354 x86/TTDLoader.dll
2024-02-09 01:08:32 ..... 59440 22597 x86/TTDLiveRecorder.dll
2024-02-09 01:08:32 ..... 251944 116546 x86/TTDInject.exe
2024-02-09 01:08:32 ..... 1128488 338278 x86/TTDRecordCPU.dll
2024-02-09 01:08:32 ..... 55336 15720 TTDLoader.dll
2024-02-09 01:08:32 ..... 79240 24103 ProcLaunchMon.sys
2024-02-09 01:08:32 ..... 59328 23740 TTDLiveRecorder.dll
2024-02-09 01:08:32 ..... 112576 42529 TTD.exe
2024-02-09 01:08:32 ..... 63424 23989 TTDRecordUI.dll
2024-02-09 01:08:32 ..... 890816 387436 TTDRecord.dll
2024-02-09 01:08:32 ..... 1218496 346347 TTDRecordCPU.dll
2024-02-09 01:08:32 ..... 313280 137305 TTDInject.exe
2024-02-09 01:08:32 ..... 2627520 712431 TTDReplayCPU.dll
2024-02-09 01:08:32 ..... 1222592 491066 TTDReplay.dll
2024-02-09 01:08:32 ..... 1856 757 resources.pri
2024-02-09 01:08:32 ..... 2507 833 AppxManifest.xml
2024-02-09 01:08:32 ..... 11409 5998 AppxBlockMap.xml
2024-02-09 01:08:32 ..... 755 300 [Content_Types].xml
2024-02-09 01:08:32 ..... 12945 7899 AppxMetadata/CodeIntegrity.cat
2024-02-08 17:11:18 ..... 10344 7106 AppxSignature.p7x
------------------- ----- ------------ ------------ ------------------------
2024-02-09 01:08:32 8165344 2720334 20 files
[quack (13:45) Windows]
I was looking at the install script for WingDBG which handles installing WinDBG through the appinstaller. It's likely then that TTD could be installed through the same process?
https://github.com/mandiant/VM-Packages/blob/main/packages/windbg.vm/tools/chocolateyinstall.ps1
Current URL for the TTD appinstaller, https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/TTD.appinstaller
Details
Microsoft ships a standalone utility to collect time travel debugging traces. Information is available here https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util
This allows a person to collect a trace without the WinDBG GUI. I think this would be a great addition to the FLARE-VM builds.
The documentation provides a Powershell script that could be easily integrated into the FLARE-VM builds. https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#download-the-ttdexe-command-line-utility-package-and-extract-the-files-manually