Using Debugger how to get child process's PID from Parent

debugcn Published at Dev

Dev.K.

I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.

Example :

Debugger attached to arbitrary running "Process A".

When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.

So how can I get the PID of process B from process A??

Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.

Thanks in Advance,

Thomas Weller

In WinDbg, there is also the command .childdbg 1 so that you simply debug all child processes.

Here's the longer version using breakpoints when doing user mode debugging:

0:000> .symfix e:\debug\symbols

0:000> .reload
Reloading current modules
.....

0:000> bp kernel32!CreateProcessW

0:000> g
Breakpoint 0 hit
*** WARNING: Unable to verify checksum for GetChildPID.exe
eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94
eip=755c103d esp=003af934 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
kernel32!CreateProcessW:
755c103d 8bff            mov     edi,edi

0:000> kb
ChildEBP RetAddr  Args to Child              
003af930 0138148d 00000000 00467804 00000000 kernel32!CreateProcessW

0:000> dp esp
003af934  0138148d 00000000 00467804 00000000 // ReturnAddress AppName CommandLine ProcAttr
003af944  00000000 00000000 00000000 00000000 // ThreadAttr InheritHandles CreationFlags Environment
003af954  00000000 003afa48 003afa30 00000000 // CurrentDir StartupInfo ProcessInfo

0:000> du 00467804 
00467804  "notepad.exe"

0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
   +0x000 hProcess         : (null) 
   +0x004 hThread          : (null) 
   +0x008 dwProcessId      : 0
   +0x00c dwThreadId       : 0
0:000> ***// Empty before the call

0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94
eip=0138148d esp=003af960 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4            cmp     esi,esp

0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
   +0x000 hProcess         : 0x00000038 Void
   +0x004 hThread          : 0x00000034 Void
   +0x008 dwProcessId      : 0x102c
   +0x00c dwThreadId       : 0xfb0

102c is the process ID of the child process. If the process does not die immediately, you can use .tlist to cross check.

If you don't have symbols, you could still dump memory

0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44
eip=0138148d esp=003ef910 ebp=003efa44 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4            cmp     esi,esp

0:000> dp esp-4 L1
003ef90c  003ef9e0

0:000> dp 003ef9e0 L4
003ef9e0  00000038 00000034 00000cc0 00001320

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-06-28

Comments

0 comments

From Dev

If you fork() and exec() from the child process, and wait in the parent, how does the parent get a return code from the child?

From Java

Related Related

Article