问题
I am analysing AcroRd32.exe with WinDbg. AcroRd32.exe has 2 processes, one (father-p) starts another (child-p). I use .childdbg 1 and |1s etc. commands to debug these two processes.
I switch to child-p, then switch back to father-p, monitoring kernel32.dll's CreateFileW and ReadFile APIs with conditional breakpoint. While opening a.pdf, only CreateFileWis invoked with parameter "C:\a.pdf". I remember the return value of CreateFileW, the file handle, use a conditional breakpoint to monitor ReadFile's parameter, however there is no call to ReadFile with the return value of CreateFileW. Then with many g commands, confusing thing coming, a.pdf opened!
I am confused. Without call to ReadFile, the PDF opened. How did Acrobat Reader do it? I have two assumptions, first one, it use some like CreateFileMapping APIs; the other one (mostly), the child-p makes it.
Let's discuss the second assumption. When I debugging father-p, the child-p didn't suspend. How did it open (read) the file?
回答1:
Using Rohitab API Monitor I see that the second instance calls CreateFileW() as well as ReadFile() with the handle of the file:
Since that's the case, it must also be possible to figure out the same with breakpoints in WinDbg. Without exact steps to reproduce the problem, we'll not be able to answer what's wrong, e.g. in your condition of the breakpoint.
When I look at my walkthrough, I think the following could go wrong:
- you're using the file handle of the parent process in the condition for the child process, although the child process gets a new handle
- you're setting the breakpoint on the wrong process. Breakpoints are process specific.
- something else is wrong in the condition of the breakpoint. Check the
.iforjcommand.
Here's my walkthrough, which shows that the breakpoints are hit. I'm not using conditional breakpoints here.
0:000> bp kernel32!CreateFileW
0:000> .childdbg 1
Processes created by the current process will be debugged
0:000> g
[...]
Breakpoint 0 hit
[...]
0:000> kb L1
# ChildEBP RetAddr Args to Child
00 0045f0d8 011d95b1 0023ca98 00000000 00000007 kernel32!CreateFileW
0:000> du 0023ca98
0023ca98 "d:\temp\a.pdf"
0:000> gu
0:000> r eax
eax=000000f0
0:000> *** Note that this is the wrong process, it's the father
0:000> *** We should not set a breakpoint with a condition of 0xF0 as the handle
0:000> *** Let's wait for the child process
0:000> bd 0
0:000> sxe cpr
0:000> g
[...]
ModLoad: 011c0000 013e5000 AcroRd32.exe
[...]
1:009> bl
1:009> |0s
[...]
0:000> bl
0 d Enable Clear 771a167f 0001 (0001) 0:**** kernel32!CreateFileW
0:000> |1s
[...]
1:009> bl
1:009> *** Did you note? Breakpoints are process specific
1:009> bp kernel32!CreateFileW
Bp expression 'kernel32!CreateFileW' could not be resolved, adding deferred bp
1:009> g
[...]
ntdll!LdrpDoDebuggerBreak+0x2c:
77850ed4 cc int 3
1:009> bl
1 e Disable Clear 771a167f 0001 (0001) 1:**** kernel32!CreateFileW
[...]
Breakpoint 1 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 002cedcc 771a775d 002cedec 002cede8 772e124c kernel32!CreateFileW
1:009> du 002cedec
002cedec "C:\Windows\Globalization\Sorting"
002cee2c "\sortdefault.nls"
1:009> *** wrong file
1:009> g
[...]
Breakpoint 0 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 0043da18 5f9b5cf0 06a12e68 80000000 00000001 kernel32!CreateFileW
1:009> du 06a12e68
06a12e68 "d:\temp\a.pdf"
1:009> gu
[...]
1:009> r eax
eax=000001cc
1:009> bp kernel32!readfile
1:009> bl
0 e Disable Clear 771a167f 0001 (0001) 1:**** kernel32!CreateFileW
1 e Disable Clear 771a3ef1 0001 (0001) 1:**** kernel32!ReadFile
1:009> bd 0
1:009> g
Breakpoint 1 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 0043da44 5f9b74be 000001cc 0043db64 00000008 kernel32!ReadFile
来源:https://stackoverflow.com/questions/46602166/how-to-control-multi-process-debugging