Microsoft’s Time Travel Debugging (TTD), a record-and-replay debugging framework for Windows user-mode applications, is under scrutiny for critical CPU instructions emulation laws. Four bugs in the tool reveal inaccuracies in its emulation layer, potentially leading to security risks, unreliable debugging, and misleading forensic investigation.

According to researchers, attackers could exploit these flaws to evade detection, while analysts might unknowingly overlook threats due to incorrect execution states.

pop r16 Instruction Bug

Executing a 32-bit obfuscated Windows Portable Executable (PE) file under TTD resulted in a crash, which did not occur on real hardware. Debugging traced the issue to the ‘pop si’ instruction, which incorrectly cleared the upper 16 bits of the ESI register, unlike the confirmed TTD-emulated pop r16 instructions that differed from an actual processor.

push segment Instruction Discrepancy

Researchers discovered an issue with the ‘push segment’ instruction, revealing inconsistencies between Intel and AMD CPUs. While Intel CPUs leave the upper portion of the stack unmodified, AMD CPUs implement the instruction differently. TTD’s emulation followed an outdated approach, introducing inaccuracies in execution.

This is an image of microsoft ttd mandiant ss1 — *Push segment proof-of-concept. | Source: Google*

“While our fuzzer was running on an Intel CPU-based machine and one of us verified the bug locally, the other person was not able to verify the bug. Interestingly, the failure happened on an AMD-based CPU, tipping us to the possibility that the push segment instruction implementation varies between INTEL and AMD CPUs,” researchers wrote.

lodsb/lodsw Instruction Error

The lodsb and lodsw instructions are found to incorrectly clear upper bits of the register instead of modifying only their respective byte or word. This deviation from unexpected CPU behaviour could lead to incorrect lead propagation in debugging scenarios.

WinDbg TTDAnalyse Output Truncation

A separate issue was discovered in WinDdg’s TTDAnalyse extension, where symbol query results were truncated due to a fixed 64 KB buffer size. This limitation led to incomplete debugging output, potentially obscuring forensic data.

This is an image of microsoft ttd mandiant ss2 — *TTD Query types. | Source: Google*

While Microsoft has patched these issues in TTD version 1.11.410, researchers emphasise the need for ongoing testing and improvements to prevent future discrepancies.

“This exploration not only sheds light on the nuanced challenges of CPU emulation within TTD but also serves as a call to action for enhanced scrutiny and rigorous validation of debugging frameworks,” researchers concluded. ” By ensuring that these tools accurately mirror native execution, we bolster our security posture and improve our capacity to detect, analyse, and respond to sophisticated threats in an ever-evolving digital landscape.”

In the News: Fake Trump cryptocurrency Binance email scam installs ConnectWise RAT