Breeding: windows - Using Debugger how to get child process's PID from Parent -

Sunday, 15 February 2015

windows - Using Debugger how to get child process's PID from Parent -

i want know, using windbg or other debugger how can pid of kid process created parent process.

example :

debugger attached arbitrary running "process a".

when debugger attached process a(parent), process creates kid process (process b) using kernel32!createprocess* or kernel32!createprocessinternal.

so how can pid of process b process a??

mainly want using pydbg if know how accomplish manually using windbg, hope able same using pydbg.

thanks in advance,

in windbg, there command .childdbg 1 debug kid processes.

here's longer version using breakpoints when doing user mode debugging:

0:000> .symfix e:\debug\symbols  0:000> .reload reloading current modules .....  0:000> bp kernel32!createprocessw  0:000> g breakpoint 0   nail *** warning: unable verify checksum getchildpid.exe eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94 eip=755c103d esp=003af934 ebp=003afa94 iopl=0         nv ei pl zr na pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 kernel32!createprocessw: 755c103d 8bff            mov     edi,edi  0:000> kb childebp retaddr  args  kid               003af930 0138148d 00000000 00467804 00000000 kernel32!createprocessw  0:000> dp esp 003af934  0138148d 00000000 00467804 00000000 // returnaddress appname commandline procattr 003af944  00000000 00000000 00000000 00000000 // threadattr inherithandles creationflags environment 003af954  00000000 003afa48 003afa30 00000000 // currentdir startupinfo processinfo  0:000> du 00467804  00467804  "notepad.exe"  0:000> dt 003afa30 process_information getchildpid!process_information    +0x000 hprocess         : (null)     +0x004 hthread          : (null)     +0x008 dwprocessid      : 0    +0x00c dwthreadid       : 0 0:000> ***// empty before  phone call  0:000> p;gu eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94 eip=0138148d esp=003af960 ebp=003afa94 iopl=0         nv ei pl zr na pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 getchildpid!wmain+0xad: 0138148d 3bf4            cmp     esi,esp  0:000> dt 003afa30 process_information getchildpid!process_information    +0x000 hprocess         : 0x00000038 void    +0x004 hthread          : 0x00000034 void    +0x008 dwprocessid      : 0x102c    +0x00c dwthreadid       : 0xfb0

102c process id of kid process. if process not die immediately, can utilize .tlist cross check.

if don't have symbols, still dump memory

0:000> p;gu eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44 eip=0138148d esp=003ef910 ebp=003efa44 iopl=0         nv ei pl zr na pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 getchildpid!wmain+0xad: 0138148d 3bf4            cmp     esi,esp  0:000> dp esp-4 l1 003ef90c  003ef9e0  0:000> dp 003ef9e0 l4 003ef9e0  00000038 00000034 00000cc0 00001320

windows debugging winapi windbg pydbg

Breeding

Sunday, 15 February 2015

windows - Using Debugger how to get child process's PID from Parent -

No comments:

Post a Comment