windowsdebuggingwinapiwindbgpydbg

Using Debugger how to get child process's PID from Parent


I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.

Example :

Debugger attached to arbitrary running "Process A".

When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.

So how can I get the PID of process B from process A??

Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.

Thanks in Advance,


Solution

  • In WinDbg, there is also the command .childdbg 1 so that you simply debug all child processes.

    Here's the longer version using breakpoints when doing user mode debugging:

    0:000> .symfix e:\debug\symbols
    
    0:000> .reload
    Reloading current modules
    .....
    
    0:000> bp kernel32!CreateProcessW
    
    0:000> g
    Breakpoint 0 hit
    *** WARNING: Unable to verify checksum for GetChildPID.exe
    eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94
    eip=755c103d esp=003af934 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    kernel32!CreateProcessW:
    755c103d 8bff            mov     edi,edi
    
    0:000> kb
    ChildEBP RetAddr  Args to Child              
    003af930 0138148d 00000000 00467804 00000000 kernel32!CreateProcessW
    
    0:000> dp esp
    003af934  0138148d 00000000 00467804 00000000 // ReturnAddress AppName CommandLine ProcAttr
    003af944  00000000 00000000 00000000 00000000 // ThreadAttr InheritHandles CreationFlags Environment
    003af954  00000000 003afa48 003afa30 00000000 // CurrentDir StartupInfo ProcessInfo
    
    0:000> du 00467804 
    00467804  "notepad.exe"
    
    0:000> dt 003afa30 PROCESS_INFORMATION
    GetChildPID!PROCESS_INFORMATION
       +0x000 hProcess         : (null) 
       +0x004 hThread          : (null) 
       +0x008 dwProcessId      : 0
       +0x00c dwThreadId       : 0
    0:000> ***// Empty before the call
    
    0:000> p;gu
    eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94
    eip=0138148d esp=003af960 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    GetChildPID!wmain+0xad:
    0138148d 3bf4            cmp     esi,esp
    
    0:000> dt 003afa30 PROCESS_INFORMATION
    GetChildPID!PROCESS_INFORMATION
       +0x000 hProcess         : 0x00000038 Void
       +0x004 hThread          : 0x00000034 Void
       +0x008 dwProcessId      : 0x102c
       +0x00c dwThreadId       : 0xfb0
    

    102c is the process ID of the child process. If the process does not die immediately, you can use .tlist to cross check.

    If you don't have symbols, you could still dump memory

    0:000> p;gu
    eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44
    eip=0138148d esp=003ef910 ebp=003efa44 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    GetChildPID!wmain+0xad:
    0138148d 3bf4            cmp     esi,esp
    
    0:000> dp esp-4 L1
    003ef90c  003ef9e0
    
    0:000> dp 003ef9e0 L4
    003ef9e0  00000038 00000034 00000cc0 00001320