Hi everyone. Considering the use of NTcreateprocess and conditional breakpoints in Windbg how can I monitor child processes created from CMD.exe parent process?? I am not quite sure about how to use NTCreateProcess structure and how to identify process name to ask for it in a conditional breakpoint in windbg. Could you please provide me some light regarding to that? Thanks in advance. Regards.
You could do this:
1: kd> !process 0 0 cmd.exe
PROCESS ffffdd8e367cd0c0
SessionId: 1 Cid: 0f10 Peb: 6be071c000 ParentCid: 0390
DirBase: 1070e6002 ObjectTable: ffff800e62bb4dc0 HandleCount: 169.
Image: cmd.exe
1: kd> bp /p ffffdd8e367cd0c0 nt!NtCreateUserProcess
If that’s not sufficient you could write a small driver that calls PsSetCreateProcessNotifyRoutineEx and have that break based on whatever conditions you want.