\n\nThis page has been machine-translated from the original page.
\n
My goal is to become proficient with WinDbg for Windows debugging and dump-based troubleshooting.
\nThis time, I’ll walk through the official Time Travel Debugging tutorial available in the UWP version of WinDbg Preview.
\nReference: Time Travel Debugging - Sample App Walkthrough - Windows drivers | Microsoft Docs
\nFor a full list of articles on Windows debugging and dump analysis with WinDbg, see the index page:
\nReference: Debugging and Troubleshooting Techniques with WinDbg
\nThis article covers the following topics.
\n\nThe Time Travel Debugging (TTD) feature allows users to record the behavior of a running process and replay it forward and backward afterward.
\nReference: Time Travel Debugging - Overview - Windows drivers | Microsoft Docs
\nUsing TTD provides the following advantages:
\nOn the other hand, recording a TTD trace requires significant overhead — even a few minutes of recording can consume gigabytes of storage.
\nTTD is available in WinDbg Preview, but it can also be used in Visual Studio.
\nReference: Introducing Time Travel Debugging for Visual Studio Enterprise 2019 - Visual Studio Blog
\nDuring a trace, the following three files are typically created:
\n.idx file: an index for accessing the trace data.run file: the file where the recorded code execution is stored.out file: a file containing output from the TTD recording sessionThe .idx and .run files in particular can become very large depending on how long the trace runs.
As of WinDbg Preview at the time of writing (October 17, 2021), the following three things are not supported by TTD:
\nIn particular, because TTD traces are read-only, techniques common in live debugging — such as setting a breakpoint at a conditional branch and modifying a register to redirect execution to an arbitrary address — are not available in TTD.
\nLet’s start working through the official TTD tutorial.
\nReference: Time Travel Debugging - Sample App Walkthrough - Windows drivers | Microsoft Docs
\nThe environment used for this tutorial:
\nFor the sample program, I used a version cross-compiled with llvm-mingw rather than Visual Studio.
\nThe sample program source code and compilation environment are described in the following article:
\nReference: How to Generate Symbol Files (.pdb) in a Linux Environment Using llvm-mingw
\nThe sample program I used looks like this:
\n#include <array>\n#include <cstring> \n#include <stdio.h>\n#include <string.h>\n\nvoid GetCppConGreeting(wchar_t *buffer, size_t size)\n{\n wchar_t const *const message = L\"HELLO FROM THE WINDBG TEAM. GOOD LUCK IN ALL OF YOUR TIME TRAVEL DEBUGGING!\";\n\n wcscpy_s(buffer, size, message);\n}\n\nint main()\n{\n std::array<wchar_t, 50> greeting{};\n GetCppConGreeting(greeting.data(), sizeof(greeting));\n\n wprintf(L\"%ls\\n\", greeting.data());\n\n return 0;\n}Running the executable (ttd_sample.exe) — created based on the official tutorial source code — from PowerShell causes the program to crash abnormally for some reason.
The application runs and the fault is reproduced. The TTD trace has been captured at this point, so click Terminate process to stop the application.
\nWhen the application terminates, the TTD trace replay starts automatically with the Timeline positioned at the beginning.
\nYou are now ready to start troubleshooting with TTD.
\nYou can analyze the TTD trace directly from here, but let’s take the opportunity to open the saved trace file for analysis.
\nClose WinDbg and relaunch it with administrator privileges.
\nFrom the File menu, select Open trace file and open the .run file that was created.
The trace file is now loaded into WinDbg and ready for analysis.
\nFrom here, analyze the captured trace file to perform troubleshooting.
\nThe official tutorial starts by loading the symbol file path into WinDbg.
\nIn my environment, ttd_tutorial.pdb is placed on the Desktop, so I use .sympath+ <desktop path>.\nAfter adding the symbol file path, run the .reload command.
.sympath+ C:\\Users\\Tadpole01\\Desktop\n.reloadWhen the symbol file is loaded correctly, WinDbg can interpret and display function names and other symbols for ttd_tutorial.exe, as shown in the image below.
Let me briefly touch on some computer architecture concepts.
\nWhen a function is called on a computer running a CPU with an x64 architecture or similar, the CALL instruction is used.
\nSimply put, the CALL instruction performs the following steps:
\nReference: Understanding the x86-64 processor stack - Qiita
\nFor more details, please refer to the following article:
\nReference: Overwriting the Memory Pointed to by the Stack Pointer in WinDbg to Execute an Arbitrary Function
\nAs confirmed earlier, the address indicated by the BSP register pointed to a string.
\nIn a program like this sample, the address stored in BSP is expected to be the address of the instruction called after main finishes.
So where exactly did the stack get corrupted? Let’s find out.
\nSet a breakpoint on the main function with the following command, then press Go Back to rewind time.
bu ttd_tutorial!mainExecution stops at the top of main. Step forward with Step Into until a memory address is pushed onto BSP.
Inspecting memory immediately after the address is pushed onto BSP shows that at this point it still contains an instruction address (not yet a string) — the address of the instruction to be called after main finishes.
Stepping forward several times with Step Over while comparing the Disassembly and Memory windows, it becomes clear that the stack was corrupted immediately after calling the GetCppConGreetingPwy function.
Before stack corruption
\nAfter stack corruption
\nThis identifies the GetCppConGreetingPwy function as the source of the stack corruption.
I rewound the TTD trace a little and stepped through the GetCppConGreetingPwy function.
It turns out the stack was corrupted immediately after calling wcscpy_s.