Does DebugActiveProcess also track child processes?

1
votes

Here's piece of code doing the main thing - attaching to an active process. Although it appears that child processes have not got caught as CREATE_PROCESS_DEBUG_EVENT in the switch. Only CREATE(EXIT)_THREAD_DEBUG_EVENT and LOAD_DLL_DEBUG_EVENT are printed in stderr, though I know exactly that sub-processes are created (not threads). Please advise.

    DebugActiveProcess(processId);
    DebugSetProcessKillOnExit(false);

    while (!done) {
        DWORD status = DBG_CONTINUE;
        DEBUG_EVENT debugEvent;

        WaitForDebugEvent(&debugEvent, INFINITE);
        switch (debugEvent.dwDebugEventCode) {

        cerr << "Got event " << debugEvent.dwDebugEventCode << endl;

        case CREATE_PROCESS_DEBUG_EVENT:
        {
            CREATE_PROCESS_DEBUG_INFO &info = debugEvent.u.CreateProcessInfo;
            cerr << "process created " << debugEvent.dwProcessId << endl;  
            break;
        }
        case EXIT_PROCESS_DEBUG_EVENT:
        {
            EXIT_PROCESS_DEBUG_INFO &info = debugEvent.u.ExitProcess;
            cerr << "process exited" << endl;
            break;
        }       
        case LOAD_DLL_DEBUG_EVENT:
        {
            CloseHandle(debugEvent.u.LoadDll.hFile);
            break;
        }
        }
        ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, status);
}
1
c++debuggingwinapiprocesssystems-programming
Did you mean to say "sub-processes are created"?arx

1 Answers

2
votes

The documentation at msdn.microsoft.com says: "... as if it created the process with the DEBUG_ONLY_THIS_PROCESS flag ...".

This means: When debugging a process with DebugActiveProcess all threads of the process are debugged (of course) but child processes are by not debugged.

To debug child processes too, you may set a breakpoint to the first address of CreateProcess() (to be more precise: CreateProcessA, CreateProcessW, CreateProcessAsUserA, ...). When this breakpoint is entered you modify the flags field so the process is started in suspended state and when the function returns you call DebugActiveProcess.