I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.
Example :
Debugger attached to arbitrary running "Process A".
When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.
So how can I get the PID of process B from process A??
Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.
Thanks in Advance,
In WinDbg, there is also the command .childdbg 1
so that you simply debug all child processes.
Here's the longer version using breakpoints when doing user mode debugging:
0:000> .symfix e:\debug\symbols
0:000> .reload
Reloading current modules
.....
0:000> bp kernel32!CreateProcessW
0:000> g
Breakpoint 0 hit
*** WARNING: Unable to verify checksum for GetChildPID.exe
eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94
eip=755c103d esp=003af934 ebp=003afa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!CreateProcessW:
755c103d 8bff mov edi,edi
0:000> kb
ChildEBP RetAddr Args to Child
003af930 0138148d 00000000 00467804 00000000 kernel32!CreateProcessW
0:000> dp esp
003af934 0138148d 00000000 00467804 00000000 // ReturnAddress AppName CommandLine ProcAttr
003af944 00000000 00000000 00000000 00000000 // ThreadAttr InheritHandles CreationFlags Environment
003af954 00000000 003afa48 003afa30 00000000 // CurrentDir StartupInfo ProcessInfo
0:000> du 00467804
00467804 "notepad.exe"
0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
+0x000 hProcess : (null)
+0x004 hThread : (null)
+0x008 dwProcessId : 0
+0x00c dwThreadId : 0
0:000> ***// Empty before the call
0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94
eip=0138148d esp=003af960 ebp=003afa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4 cmp esi,esp
0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
+0x000 hProcess : 0x00000038 Void
+0x004 hThread : 0x00000034 Void
+0x008 dwProcessId : 0x102c
+0x00c dwThreadId : 0xfb0
102c
is the process ID of the child process. If the process does not die immediately, you can use .tlist
to cross check.
If you don't have symbols, you could still dump memory
0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44
eip=0138148d esp=003ef910 ebp=003efa44 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4 cmp esi,esp
0:000> dp esp-4 L1
003ef90c 003ef9e0
0:000> dp 003ef9e0 L4
003ef9e0 00000038 00000034 00000cc0 00001320