Skip to content
/ anti-ttd Public

Different technics to detect (or not) Time Travel Debugging πŸ”Ž

License

Apache-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

atxr/anti-ttd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

15 Commits
anti-ttd
anti-ttd
Β 
Β 
assets
assets
Β 
Β 
CMakeLists.txt
CMakeLists.txt
Β 
Β 
LICENSE.txt
LICENSE.txt
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

anti-ttd πŸ‘»

Different technics to detect (or not) Time Travel Debugging πŸ”Ž

Because Windows Time Travel Debugging (TTD) is not a real debugger, most classical debugging technics don't work. This repo compiles all my researches on TTD anti-debug.

demo

Usage

TTD can be installed with the TTD.exe command line utility, or can be used through WinDbg. Build the project with cmake and try to record the binary anti-ttd.exe with TTD.

mkdir build
cmake ..
cmake --build .
TTD.exe .\bin\Debug\anti-ttd.exe

You can also use WinDbg to record the TTD trace, see this tutorial.

TTD specific anti-debug technics

TTD will inject a DLL into the selected process, which could trigger anti-tampering features possibly implemented into the targeted program. Here is a quick scheme of how TTD works under the hood:

TTD scheme

With this architecture, I identified two ways to detect TTD:

Technique Name Detects TTD Comments
Parent Process Name βœ… Check if the parent process name is "ttd.exe"
Opened Handles βœ… Enumerate the handles owned by the process and search for .run file

Classical anti-debug technics

I test relevent anti-debug technics from unprotect.it.

Note: πŸ”Ž

Technics with a ❔ haven't been tested yet. Feel free to contribute!

Technique Name Detects TTD Comments
Guard Pages ❌ Trigger a page guard fault
NtSetDebugFilterState βœ… Check if Debug privileges are enabled (Not precise enough)
IsDebuggerPresent ❌ TTD doesn't activate the debug flag in the PEB
INT3 Instruction Scanning ❔ ❔
Interrupts ❔ ❔
Performing Code Checksum ❔ ❔
Unhandled Exception Filter ❔ ❔
Detecting Running Process: EnumProcess API ❔ ❔
GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter ❔ ❔
NtGlobalFlag ❔ ❔
Heap Flag ❔ ❔
CloseHandle, NtClose ❔ ❔
CsrGetProcessID ❔ ❔
EventPairHandles ❔ ❔
OutputDebugString ❔ ❔
NtQueryObject ❔ ❔
NtSetInformationThread ❔ ❔
NtQueryInformationProcess ❔ ❔
CheckRemoteDebuggerPresent ❔ ❔
TLS Callback ❔ ❔
Call to Interrupt Procedure ❔ ❔
AddVectoredExceptionHandler ❔ ❔
GetTickCount ❔ ❔
RDTSC ❔ ❔
Debug Registers, Hardware Breakpoints ❔ ❔
LocalSize(0) ❔ ❔
INT 0x2D ❔ ❔
ICE 0xF1 ❔ ❔
Trap Flag ❔ ❔
Detecting Window with FindWindow API ❔ ❔

Ideas

  • ParentProcessName can be improved by checking if TTDRecord.dll is loaded in the parent process
  • Checks TTD recording thread
  • anti-tampering features to detect DLL injection

About

Different technics to detect (or not) Time Travel Debugging πŸ”Ž

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages