How to debug child and parent process using windbg?

Question

I have one program which creates the child process using CreateProcess function. While Debugging, I step into child process by childdbg 1 . But after executing whole steps of child process. It doesn't returned to Parent process.

When I use .childdbg 1

0:000> .childdbg 1
Processes created by the current process will be debugged

then i used 2 time g, first time, it loaded modules and come to, below position,

0:000> g

.
.
.

1:002>

2nd time, once again it loaded some other modules, and come to below position,

1:002> g

.
.
.

2:005>

From this point, I will start debug my child process. Its working good. After, running child process, its directly execute it parent process. So, can anyone give me the debug command or command to come out from second process to 1st process. Please, I need debug level solution. Not from my code.

Answer 1

.childdbg 1 enables debugging of the first child only and not the grandchild
in your example 2.002 is a grandchild
to debug it and then come back to child you need to issue .childdbg 1 on every generation

childdbg:\>dir /b
childdbg.cpp

childdbg:\>type childdbg.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    ZeroMemory( &si, sizeof(si) );
    si.cb = sizeof(si);
    ZeroMemory( &pi, sizeof(pi) );
    if( !CreateProcess( NULL, "childdbg.exe", NULL, NULL, 
    FALSE,0,NULL,NULL,&si, &pi ) )
    {
        printf( "CreateProcess failed (%d).\n", GetLastError() );
        return 0;
    }
    WaitForSingleObject( pi.hProcess, INFINITE );
    CloseHandle( pi.hProcess );
    CloseHandle( pi.hThread );
    return 0;
}
childdbg:\>cl /Zi /nologo childdbg.cpp
childdbg.cpp

childdbg:\>dir /b *.exe
childdbg.exe

do not run the exe it will spawn zillion childs
use debugger and when done subvert flow to skip child creation


childdbg:\>cdb childdbg.exe

0:000> .childdbg 1
Processes created by the current process will be debugged
0:000> g

1:001> .childdbg 1
Processes created by the current process will be debugged
1:001> g

2:002> .childdbg 1
Processes created by the current process will be debugged
2:002> g

3:003> .childdbg 1
Processes created by the current process will be debugged
3:003> g

4:004> lsf childdbg.cpp
childdbg.cpp
4:004> bp childdbg!main
*** WARNING: Unable to verify checksum for childdbg.exe
4:004> g

Breakpoint 0 hit

childdbg!main:
00401010 55              push    ebp

4:004> ls 10
    10:     if( !CreateProcess( NULL, "childdbg.exe", NULL, NULL,
                FALSE,0,NULL,NULL,&si,&pi ) )
    11:     {
    12:         printf( "CreateProcess failed (%d).\n", GetLastError() );
    13:         return 0;
    14:     }
    15:     WaitForSingleObject( pi.hProcess, INFINITE );
    16:     CloseHandle( pi.hProcess );
    17:     CloseHandle( pi.hThread );
    18:     return 0;
    19: }
4:004> r eip = `:18`
WARNING: Line information loading disabled
4:004> .lines
Line number information will be loaded
4:004> r eip = `:18`
4:004> r
childdbg!main+0x8a:
0040109a 33c0            xor     eax,eax
4:004> g
4:004> g
3:003> g
2:002> g
1:001> g
0:000> g
       ^ No runnable debuggees error in 'g'
0:000> q
quit:
childdbg:\>

Answer 2

You can use the | command to verify the processes currently attached to. Similar to switching between threads (~0s, ~1s, ~2s), you may use |0s |1s |2s etc to switch between attached processes.