Reputation: 2488
Using Debugger how to get child process's PID from Parent
I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.
Example :
Debugger attached to arbitrary running "Process A".
When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.
So how can I get the PID of process B from process A??
Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.
Thanks in Advance,
Upvotes: 1
Views: 2444
Answers (2)
Reputation: 59643
In WinDbg, there is also the command .childdbg 1 so that you simply debug all child processes.
Here's the longer version using breakpoints when doing user mode debugging:
0:000> .symfix e:\debug\symbols
0:000> .reload
Reloading current modules
.....
0:000> bp kernel32!CreateProcessW
0:000> g
Breakpoint 0 hit
*** WARNING: Unable to verify checksum for GetChildPID.exe
eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94
eip=755c103d esp=003af934 ebp=003afa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!CreateProcessW:
755c103d 8bff mov edi,edi
0:000> kb
ChildEBP RetAddr Args to Child
003af930 0138148d 00000000 00467804 00000000 kernel32!CreateProcessW
0:000> dp esp
003af934 0138148d 00000000 00467804 00000000 // ReturnAddress AppName CommandLine ProcAttr
003af944 00000000 00000000 00000000 00000000 // ThreadAttr InheritHandles CreationFlags Environment
003af954 00000000 003afa48 003afa30 00000000 // CurrentDir StartupInfo ProcessInfo
0:000> du 00467804
00467804 "notepad.exe"
0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
+0x000 hProcess : (null)
+0x004 hThread : (null)
+0x008 dwProcessId : 0
+0x00c dwThreadId : 0
0:000> ***// Empty before the call
0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94
eip=0138148d esp=003af960 ebp=003afa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4 cmp esi,esp
0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
+0x000 hProcess : 0x00000038 Void
+0x004 hThread : 0x00000034 Void
+0x008 dwProcessId : 0x102c
+0x00c dwThreadId : 0xfb0
102c is the process ID of the child process. If the process does not die immediately, you can use .tlist to cross check.
If you don't have symbols, you could still dump memory
0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44
eip=0138148d esp=003ef910 ebp=003efa44 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4 cmp esi,esp
0:000> dp esp-4 L1
003ef90c 003ef9e0
0:000> dp 003ef9e0 L4
003ef9e0 00000038 00000034 00000cc0 00001320
Upvotes: 3
Reputation: 9007
you can use windbg's handle command to search for Process with flag 0xf to get the pid of the child process
code compiled with cl /Zi /nologo /W4 /analyze %1% /link /RELEASE
C:\>type codesnips\childdbg\childdbg.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if( !CreateProcess( "c:\\windows\\system32\\calc.exe",NULL,NULL, NULL, FALSE
,0,NULL,NULL,&si,&pi ) )
{
printf( "CreateProcess failed (%d).\n", GetLastError() );
return 0;
}
printf("waiting and watching when calc.exe will be no more\n");
WaitForSingleObject( pi.hProcess, INFINITE );
printf("calc.exe no more i am free to quit watching\n");
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
return 0;
}
C:\> childdbg.exe
waiting and watching when calc.exe will be no more
process started above running as follows (note pid or parent and child)
tlist -t shows tree view**
C:\>tlist -t | grep -A 1 child
opera.exe (1164) windows - How Internet Explorer(IE11)Creates low Integrity child process without CreateProcess Call - Stack Overflow - Opera
childdbg.exe (6992) C:\codesnips\childdbg\childdbg.exe
calc.exe (7040) Calculator
open a windbg or cdb prompt attach to the parent process retrieve all handles that are of type Process and .detach from the parent (compare the pids fetched via tlist and cdb )
C:>cdb -c "!handle 0 f Process;.detach;q" -pn childdbg.exe
0:001> cdb: Reading initial command '!handle 0 f Process;.detach;q'
Handle 28
Type Process
Attributes 0
GrantedAccess 0x1f0fff:
Delete,ReadControl,WriteDac,WriteOwner,Synch
Terminate,CreateThread,,VMOp,VMRead,VMWrite,DupHandle,CreateProcess,Set
Quota,SetInfo,QueryInfo,SetPort
HandleCount 4
PointerCount 18
Name <none>
Object Specific Information
Process Id 7040
Parent Process 6992
Base Priority 8
1 handles of type Process
Detached
quit:
C:\>
Upvotes: 2
Related Questions
- Finding parent process ID on Windows
- How can I get the PID of the parent process of my application
- How to debug a child process beyond the initial breakpoint
- Debug child executable of a process
- Fetching parent process Id from child process
- Get Parent Process Name (Windows)
- How to debug child and parent process using windbg?
- How to get the PIDs of the child processes?
- How can a Win32 process get the pid of its parent?
- Determining the parent process id from C#