WinDbg: Time Travel Debugging

IDA supports WinDbg Time-Travel debugging. When used with a compatible version of WinDbg, you can load a .run file into IDA, similarly to a crash dump.

Installation

Only the standalone version of WinDbg supports Time Travel Debugging. The version of WinDbg from Debugging Tools for Windows can not be used to load TTD traces.

Downloading WinDbg

You can find the list of current ways to download WinDbg here: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/

You can either install WinDbg onto your system or extract it manually.

Copying WinDbg files

WinDbg is an AppX package, and Windows by default forbids the execution of files in its installation folder. It is required to copy the files to another directory to use them with IDA.

You can find the installation directory for WinDbg by opening a PowerShell window and running:

Get-AppxPackage Microsoft.WinDbg | select InstallLocation

For example, for version 1.2410.110001.0 the path might be C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2410.11001.0_x64__8wekyb3d8bbwe. In general, users do not have access to list the C:\Program Files\WindowsApps folder by default, however it is possible to navigate to the WinDbg subfolder directly by pasting the path into Explorer.

Please copy the amd64 subdirectory into a directory of your choice and update the DBGTOOLS path in ida.cfg to point to the copied folder. The folder pointed to by DBGTOOLS should contain a dbgeng.dll file.

Manually extracting WinDbg files

If you do not want to install WinDbg onto your system, you can instead download and extract it manually by doing the following:

1. Download the .appinstaller file from https://aka.ms/windbg/download

2. Open the .appinstaller file as xml in a text editor. Take the value of Uri= on the line containing the <MainBundle definition and download the file specified by it, e.g., from <MainBundle Name="Microsoft.WinDbg" Version="1.2410.11001.0" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-2410-11001-0/windbg.msixbundle" /> download the https://windbg.download.prss.microsoft.com/dbazure/prod/1-2410-11001-0/windbg.msixbundle file.

3. Extract the windbg_win-x64.msix file from the downloaded .msixbundle (it is a zip file with a custom extension)

4. Extract the amd64 folder from the windbg_win-x64.msix file (it is a zip file with a custom extension)

Once you have followed these steps, update the DBGTOOLS path in ida.cfg to point to the copied folder. The folder pointed to by DBGTOOLS should contain a dbgeng.dll file.

Features

Time travel

The WinDbg time travel implementation uses a trace file that you later load. Unlike a crash dump you can still continue execution, however this works by navigating through a recorded instruction log. You cannot change registers or affect the program behavior.

Additional UI actions are available when loading a time travel log. You can use the UI to continue the execution both forwards and backwards by selecting either the normal "Continue" action, or the "Continue backwards" action. Additionally, the "Step into (backwards)", "Step over (backwards)", "Run to cursor (backwards)" actions become available, however they do not work with source-level debugging.

You can access these actions either using the toolbar or from the "Debugger" menu.

Commands

The !positions command can be used to show the current position in the trace.

The !tt command can be used to travel to a specific position in the trace that you have obtained before.

For more details, please see the Microsoft documentation page.

The dx command can be used to query information about the trace, such as memory writes or reads to a specific address. See this tutorial for how to use it.