Because Windows Time Travel Debugging (TTD) is not a real debugger, most classical debugging technics don't work. This repo compiles all my researches on TTD anti-debug.
TTD can be installed with the TTD.exe command line utility, or can be used through WinDbg.
Build the project with cmake and try to record the binary anti-ttd.exe with TTD.
mkdir build
cmake ..
cmake --build .
TTD.exe .\bin\Debug\anti-ttd.exe
You can also use WinDbg to record the TTD trace, see this tutorial.
TTD will inject a DLL into the selected process, which could trigger anti-tampering features possibly implemented into the targeted program. Here is a quick scheme of how TTD works under the hood:
With this architecture, I identified two ways to detect TTD:
| Technique Name | Detects TTD | Comments |
|---|---|---|
| Parent Process Name | β | Check if the parent process name is "ttd.exe" |
| Opened Handles | β | Enumerate the handles owned by the process and search for .run file |
I test relevent anti-debug technics from unprotect.it.
Note: π
Technics with a β haven't been tested yet. Feel free to contribute!
| Technique Name | Detects TTD | Comments |
|---|---|---|
| Guard Pages | β | Trigger a page guard fault |
| NtSetDebugFilterState | β | Check if Debug privileges are enabled (Not precise enough) |
| IsDebuggerPresent | β | TTD doesn't activate the debug flag in the PEB |
| INT3 Instruction Scanning | β | β |
| Interrupts | β | β |
| Performing Code Checksum | β | β |
| Unhandled Exception Filter | β | β |
| Detecting Running Process: EnumProcess API | β | β |
| GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter | β | β |
| NtGlobalFlag | β | β |
| Heap Flag | β | β |
| CloseHandle, NtClose | β | β |
| CsrGetProcessID | β | β |
| EventPairHandles | β | β |
| OutputDebugString | β | β |
| NtQueryObject | β | β |
| NtSetInformationThread | β | β |
| NtQueryInformationProcess | β | β |
| CheckRemoteDebuggerPresent | β | β |
| TLS Callback | β | β |
| Call to Interrupt Procedure | β | β |
| AddVectoredExceptionHandler | β | β |
| GetTickCount | β | β |
| RDTSC | β | β |
| Debug Registers, Hardware Breakpoints | β | β |
| LocalSize(0) | β | β |
| INT 0x2D | β | β |
| ICE 0xF1 | β | β |
| Trap Flag | β | β |
| Detecting Window with FindWindow API | β | β |
- ParentProcessName can be improved by checking if TTDRecord.dll is loaded in the parent process
- Checks TTD recording thread
- anti-tampering features to detect DLL injection