Using Debugger how to get child process's PID from Parent

Question

I want to know, using windbg or any other debugger how can i get the PID of child process created by parent process.

Example :

Debugger attached to arbitrary running "Process A".

When debugger is attached to process A(Parent), Process A creates another child process (Process B) using kernel32!CreateProcess* or kernel32!CreateProcessInternal.

So how can I get the PID of process B from process A??

Mainly I want to do it using pydbg but if i get to know how to achieve this manually using windbg, i hope I will be able to do the same using pydbg.

Thanks in Advance,

Answer 1

In WinDbg, there is also the command .childdbg 1 so that you simply debug all child processes.

Here's the longer version using breakpoints when doing user mode debugging:

0:000> .symfix e:\debug\symbols

0:000> .reload
Reloading current modules
.....

0:000> bp kernel32!CreateProcessW

0:000> g
Breakpoint 0 hit
*** WARNING: Unable to verify checksum for GetChildPID.exe
eax=00467780 ebx=7efde000 ecx=00467804 edx=00000004 esi=003af960 edi=003afa94
eip=755c103d esp=003af934 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
kernel32!CreateProcessW:
755c103d 8bff            mov     edi,edi

0:000> kb
ChildEBP RetAddr  Args to Child              
003af930 0138148d 00000000 00467804 00000000 kernel32!CreateProcessW

0:000> dp esp
003af934  0138148d 00000000 00467804 00000000 // ReturnAddress AppName CommandLine ProcAttr
003af944  00000000 00000000 00000000 00000000 // ThreadAttr InheritHandles CreationFlags Environment
003af954  00000000 003afa48 003afa30 00000000 // CurrentDir StartupInfo ProcessInfo

0:000> du 00467804 
00467804  "notepad.exe"

0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
   +0x000 hProcess         : (null) 
   +0x004 hThread          : (null) 
   +0x008 dwProcessId      : 0
   +0x00c dwThreadId       : 0
0:000> ***// Empty before the call

0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003af960 edi=003afa94
eip=0138148d esp=003af960 ebp=003afa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4            cmp     esi,esp

0:000> dt 003afa30 PROCESS_INFORMATION
GetChildPID!PROCESS_INFORMATION
   +0x000 hProcess         : 0x00000038 Void
   +0x004 hThread          : 0x00000034 Void
   +0x008 dwProcessId      : 0x102c
   +0x00c dwThreadId       : 0xfb0

102c is the process ID of the child process. If the process does not die immediately, you can use .tlist to cross check.

If you don't have symbols, you could still dump memory

0:000> p;gu
eax=00000001 ebx=7efde000 ecx=755d4964 edx=0000008b esi=003ef910 edi=003efa44
eip=0138148d esp=003ef910 ebp=003efa44 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
GetChildPID!wmain+0xad:
0138148d 3bf4            cmp     esi,esp

0:000> dp esp-4 L1
003ef90c  003ef9e0

0:000> dp 003ef9e0 L4
003ef9e0  00000038 00000034 00000cc0 00001320

Answer 2

you can use windbg's handle command to search for Process with flag 0xf to get the pid of the child process

code compiled with cl /Zi /nologo /W4 /analyze %1% /link /RELEASE

C:\>type codesnips\childdbg\childdbg.cpp
#include <stdio.h>
#include <windows.h>
int main (void)
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    ZeroMemory( &si, sizeof(si) );
    si.cb = sizeof(si);
    ZeroMemory( &pi, sizeof(pi) );
    if( !CreateProcess( "c:\\windows\\system32\\calc.exe",NULL,NULL, NULL, FALSE
,0,NULL,NULL,&si,&pi ) )
    {
        printf( "CreateProcess failed (%d).\n", GetLastError() );
        return 0;
    }
    printf("waiting and watching when calc.exe will be no more\n");
    WaitForSingleObject( pi.hProcess, INFINITE );
    printf("calc.exe no more i am free to quit watching\n");
    CloseHandle( pi.hProcess );
    CloseHandle( pi.hThread );
    return 0;
}
    C:\> childdbg.exe
waiting and watching when calc.exe will be no more

process started above running as follows (note pid or parent and child)

tlist -t shows tree view**

C:\>tlist -t | grep -A 1 child
  opera.exe (1164) windows - How Internet Explorer(IE11)Creates low Integrity child process without CreateProcess Call - Stack Overflow - Opera
  childdbg.exe (6992) C:\codesnips\childdbg\childdbg.exe
    calc.exe (7040) Calculator

open a windbg or cdb prompt attach to the parent process retrieve all handles that are of type Process and .detach from the parent (compare the pids fetched via tlist and cdb )

C:>cdb -c "!handle 0 f Process;.detach;q" -pn childdbg.exe

0:001> cdb: Reading initial command '!handle 0 f Process;.detach;q'
Handle 28
  Type          Process
  Attributes    0
  GrantedAccess 0x1f0fff:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         Terminate,CreateThread,,VMOp,VMRead,VMWrite,DupHandle,CreateProcess,Set
Quota,SetInfo,QueryInfo,SetPort
  HandleCount   4
  PointerCount  18
  Name          <none>
  Object Specific Information
    Process Id  7040
    Parent Process  6992
    Base Priority 8
1 handles of type Process
Detached
quit:

C:\>