Time Travel Debugging (beta)¶
Time travel debugging (TTD) allows you to record an execution trace of a program or system and replay it back and forth. It can speed up the process of reverse engineering/vulnerability research, and deal with certain tasks that are not easy to handle in regular forward debugging.
Several tools implement TTD. As of now, Binary Ninja debugger integrates with the WinDbg/DbgEng TTD so that you can replay and analyze a trace recorded by WinDbg. The combination of TTD and your familiar reverse engineer tool would hopefully supercharge the ability to time travel and make your workflow even more effective.
Below is a guide to set it up.
Install WinDbg¶
- Navigate to https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/
- Click the
Download WinDbg
button - Run the downloaded
windbg.appinstaller
and proceed with the installation- In case the downloaded installer does not work, open it in a text editor and find the download link that looks like
https://windbg.download.prss.microsoft.com/dbazure/prod/1-2306-12001-0/windbg.msixbundle
- Open the link in the browser, download the full installer, and install it
- In case the downloaded installer does not work, open it in a text editor and find the download link that looks like
Update Binary Ninja to the Development Build¶
If you are running the stable version of Binary Ninja or a development build earlier than 3.5.4334
, you will need to update Binary Ninja to a newer version.
- Click
Edit
->Preferences
->Update Channel...
- For
Update channel
, selectBinary Ninja development build
- For
Select version
, select the newest one with the largest build number
Set up WinDbg For Binary Ninja Debugger¶
Due to some permission issue, Binary Ninja cannot load the DLLs from the WinDbg installation folder, which is inside C:\Program Files\WindowsApps
.
So you will need to copy the entire WinDbg installation folder to a place that Binary Ninja can properly access.
- Create a new folder in your home directory, e.g.,
C:\Users\user_name\windbgx
- Find out the installation path of WinDbg
- Launch WinDbg
- Open Task Manager, go to
Details
tab, findDbgX.Shell.exe
- Right-click it, and then click
Open File location
- The explorer should open up a path like
C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2306.12001.0_x64__8wekyb3d8bbwe
- Copy everything in the WinDbg installation folder into the new folder you created earlier
- Simply select everything and press
Ctrl+C
, since you cannot navigate to its parent folderC:\Program Files\WindowsApps
- Simply select everything and press
- Open Binary Ninja and click
Edit
->Preferences
->Settings
- Search for the setting
debugger.x64dbgEngPath
- Put path
C:\Users\user_name\windbgx\amd64
in it- Do not forget to append
amd64
to the path of the folder
- Do not forget to append
- There is a plan to automate this process: https://github.com/Vector35/debugger/issues/486
Record a TTD Trace¶
- Open WinDbg
- Click
File
->Start debuggin
->Launch Executable (advanced)
- Select the executable file you wish to record
- Check
Record with Time Travel Debugging
, and clickDebug
- In the popup dialog, select a folder to save the recorded trace
- Wait for the process to exit, or click
Stop and Debug
when appropriate - WinDbg then loads the trace and indexes it
- The index will make it faster to work with the trace
- Close WinDbg
- Or check out the official guide at https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record
- There is a plan to automate this process: https://github.com/Vector35/debugger/issues/485
Configure the TTD Trace in Binary Ninja Debugger¶
- Open the .exe or .dll file in Binary Ninja
- Click
Debugger
->Debug Adapter Settings
- For
Adapter Type
, selectDBGENG_TTD (BETA)
- For
Executable Path
, select the trace file recorded by WinDbg in the previous step- E.g.,
C:/Users/xushe/Documents/helloworld01.run
- E.g.,
- Click
Accept
Work with the TTD Trace¶
- Click
Launch
to launch the target - Most of the debugger functionalities should work in the very same way as a forward debugging
- To make the target run forward, you can either use the buttons in the debugger sidebar, or use the following commands in the debugger console:
- To make the target run backward, you will need to use one of these commands:
- g-: go back
- p-: step over back
- t-: step into back
- g-u: step out back
- There is a plan to add several new buttons that do reverse execution: https://github.com/Vector35/debugger/issues/484
- The !position command prints the
position
of all active threads - The !tt command navigates to a
position
in the trace- E.g.,
!tt 1A0:12F
- While using the debugger, when the target stops, the current position will be printed in the debugger console
- E.g.,
Feedback and Suggestions¶
The TTD integration in Binary Ninja debugger is still in the beta stage so it will likely contain some bugs or lack certain features. The good news is the debugger is open-source and we have a public issue repository for it: https://github.com/Vector35/debugger/issues/. Please feel free to file bug reports, and request new features, either specifically for the TTD or more generally for the debugger. Or even better, join our public Slack and talk to the developers and users!