Skip to content

Instantly share code, notes, and snippets.

@calladoum-elastic
Last active October 7, 2022 16:16
Show Gist options
  • Save calladoum-elastic/4666dafc789a273c35a4aedf2ed9cd9e to your computer and use it in GitHub Desktop.
Save calladoum-elastic/4666dafc789a273c35a4aedf2ed9cd9e to your computer and use it in GitHub Desktop.
Options supported by TTDRecord.dll (version 1.9.106.0) - Full article at https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem
Options:
-? Display this help.
-cleanup Uninstall process monitor driver
-help Display this help.
-quiet Do not display any standard output.
-ring Trace to a ring buffer.
-ringMode <mode> Specify how to record a ring trace. Possible modes:
file - The ring will be in a file on disk.
This is the default.
mappedFile - The ring will be in a file, but the entire
file will be fully mapped in memory. This reduces the
I/O overhead, but the entire file is mapped in
contiguous address space, which may add significant
memory pressure to 32-bit processes.
-maxFile <size> Maximum size of the trace file in MB. When in full trace
mode the default is 1024GB and the minimum value is 1MB.
When in ring buffer mode the default is 2048MB, the minimum
value is 1MB, and the maximum value is 32768MB.
The default for in-memory ring on 32-bit processes is 256MB.
-maxConcurrentRecordings <count>
Maximum number of recordings that can be ongoing at any one
point in time.
-timer <seconds> Stops recording after the specified amount of time.
-tExit <ecode> (Only with -timer) Forces the application to terminate with
the specified exit code after the timer runs out.
-out <file> Specify a trace file name or a directory. If a file, the
tracer will replace the first instance of '%' with a
version number. By default the executable's base name with
a version number is used to prefix the trace file name.
-children Trace through family of child processes.
-passThroughExit Pass the guest process exit value through as the
tracer's exit value.
-bg Attach to a process in non-interactive mode and return
control to the console after it starts tracing.
-tracingOff Starts application with trace recording off. You can
use the UI to turn tracing on.
-parent <name> Use with -onLaunch to specify a currently running parent
process when the traced process will run with low privileges.
Modes:
-plm To specify a PLM app/package for tracing from launch or to
launch that app. These PLM apps can only be setup for
tracing if specifying the plm option. See -launch, -onlaunch,
and -delete for the parameters required for each case.
The default name for a single app package is 'app' and
must be included. You must specify a full path to the output
location with -out.
-launch Launch and trace the program (default).
This is the only mode that uses the program arguments.
For -plm apps it must be specified, and you must include
the package and the app (-launch <package> <app>).
Note: This must be the last option in the command-line,
followed by the program + arguments or the package + app
-attach <PID> Attach to a running process specified by process ID.
-onLaunch Trace programs or services each time they are started
(until reboot). For -plm apps you can only specify the
package (-onLaunch <package>) and all apps within that
package will be set for TTD tracing on their next launch.
There is no ability to specify only 1 app. You must specify
a full path to the output location with -out.
-persistent Trace programs or services each time they are started
(forever). You must specify a full path to the output
location with -out.
-delete Stop future tracing of a program previously specified
with -onLaunch or -persistent. Does not stop current
tracing. For -plm apps you can only specify the
package (-delete <package>) and all apps within that
package will be removed from future tracing
-selectiveRecording <path>
Enables selective recording using the configuration file
located at the specified path. The configuration file must
be readable by the process being traced. (Managed selective recording format
required when paired with -managed flag)
-cmdLineFilter "<string>"
Must be combined with -onLaunch or -persistent and it will only
record the target if its command line contains the string.
This is useful for situations when the command line argument
uniquely identifies the process you are interested in,
e.g., notepad.exe specialfile.txt only the instance of
notepad.exe with that file name will be recorded.
-onInitCompleteEvent <eventName>
Allows an event to be signaled when tracing initialization
is complete.
-managed
Enables managed recording (default is full tracing)
However, if paired with -selectiveRecording then the
corresponding ttdconfig passed in must be of managed selective recording format.
(As used in the Standalone Collector scenario).
Control:
-stop Stop tracing the process specified (name, PID or "all").
-terminate <code> <PID>
Terminate with the specified exit code a process
specified by process ID.
-status Show programs scheduled for future tracing.
-wait <timeout> Wait for up to the amount of seconds specified for all
trace sessions on the system to end. Specify -1 to wait
infinitely.
-mark "<string>" <PID>
Signal a guest process to insert the string into its
trace file. The string must be less than 256 characters.
-initialize Manually initialize your system for tracing.
You can trace without administrator privileges
after the system is initialized. Not supported by inbox tttracer.exe
-noRing Take a full trace of the guest process (default).
-noUI Disables the UI for manual control of recording.
(default on OS with no UI)
-console <file> Re-direct console output to the specified file or directory.
<file> format is similar to format of -out.
-saveCrash <file> If the guest process hits an unhandled exception,
exit the process and save the trace file to
<file>.%.crash. Do not combine with -out.
-ni Attach to a process in non-interactive mode. The tracer
cannot attach to a waiting/sleeping process, so -ni prevents
timing out while waiting for the guest.
-context <name> Launches the guest process with the security context
of the passed in process name. The process must
be in the same session as this client. This
is not supported on OneCore.
-dumpModules Dumps a copy of every loaded module image into the trace
file. This option may significantly increase the size of
the trace file. This option is enabled by default for ring
traces.
-dumpFull In addition to dumping every loaded module image into the
trace file, takes a snapshot of the guest process on attach.
This option is enabled by default for non-ring traces. This
option is incompatible with -ring.
-noDumpFull Explicitly turns off both -dumpFull and -dumpModules behavior.
-fastAtomicOps Loosen the restriction that atomic operations on the same
address will replay in the same order they executed live.
(this is the default).
-noFastAtomicOps Tighten the restriction that atomic operations on the same
address will replay in the same order they executed live.
-numVCpu <number> Specifies a number of Virtual CPUs to be reserved and used
when tracing. This value affects the total memory overhead
placed on the guest process' memory by TTD. If not
specified then default per platform is used: 55 for x64, 16
for x86 and 10 for ARM32. Change this setting in order to
limit the memory impact ONLY if you are running out of
memory. The .out file will give hints this effect.
Note: Changing this value to a lower number can severely
impact the performance of tracing and should only
be done to work around memory impact issues.
-loadOnly <PID> Loads TTT into the process, but does not start a trace
session. This is useful if the client starting the trace
session is not running with high enough privileges to load
TTT into the process.
-autoStart If tracing stops in a guest process, automatically restart
it if the guest is still active. Use -stop all to cancel
auto mode.
-threadsRunNativelyByDefault Threads don't start recording automatically,
instead thread recording must be initiated via API call.
-recordProcessorSwitches Records a thread-local custom event whenever
each thread switches processors.
-recordMemoryProtect Records a custom event with the initial memory protection
state of the process.
-replayCpuSupport <support> Specifies what support is expected from
the CPUs that will be used to replay the trace.
Possible <support> values:
Default - Default CPU support, just requires basic
commonly-available support in the replay CPU.
MostConservative - Requires no special support in the replay CPU.
Adequate for traces that will be replayed on a
completely different CPU architecture,
like an Intel trace on ARM64.
MostAggressive - Assumes that the replay CPU will be similar
and of equal or greater capability
than the CPU used to record.
IntelAvxRequired - Assumes that the replay CPU will be
Intel/AMD 64-bit CPU supporting AVX.
IntelAvx2Required - Assumes that the replay CPU will be
Intel/AMD 64-bit CPU supporting AVX2.
Note that 64-bit traces may not replay correctly
with 32-bit tools when recorded using this mode.
-skipContiguousAtomics Ignore atomic instructions whose sequence IDs are contiguous
with the previous in the same thread. This makes it harder to
determine causality but it optimizes recording performance and trace
file size.
-maxInstructionsPerFragment <num> Specifies how many instructions can be emulated
contiguously before artificially breaking into a new fragment.
Default value is 10000.
-maxInstructionsPerSegment <num> Specifies how many instructions will be emulated
per segment, which determines the parallelism granularity used
during replay. Default value is 3000000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment