Debug Child Process Tool (auto attach)
OTHER License
DbgChild is a stand alone tool for debugging child processes (auto attach). DbgChild can be used in conjunction with a plugin for a debugger. Currently DbgChild supports a plugin for the x86/x64 x64dbg debugger.
Support for DbgChild can be extended to OllyDbg and Immunity debugger if so required via donations. Consider make a donation: https://github.com/sponsors/therealdreg
WARNING: If you are using an AV this plugin can fail (AV hooks in ZwCreateUserProcess etc...)
You have to select the checkboxes in the DbgChild plugin to automatically attach x64dbg to any process started by the executable you’re currently debugging:
WARNING: You must select the checkboxes in both versions of x64dbg, openning x64dbg.exe and x32dbg.exe
Keep open always the NewProcessWatcher.exe
DbgChild x64dbg plugin how to use example video. x32_cmd -> x64_cmd -> x32_cmd -> x32_calc: https://www.youtube.com/watch?v=NfA2HAJa0Rk
https://mrexodia.github.io/reversing/2017/07/12/Analyzing-torrent-repack-malware
https://ragegorilla08.medium.com/qakbot-analysis-d5ea5f5a38c4
The DbgChild comprises a number of components to accomplish the task of launching a new x64dbg instance when a child process is hooked and detected. These components are:
Download the latest release of DbgChild here
Once extracted the contents should look something like this:
\x64dbg\NewProcessWatcher.exe
\x64dbg\x64_post.unicode.txt
\x64dbg\x64_pre.unicode.txt
\x64dbg\x86_post.unicode.txt
\x64dbg\x86_pre.unicode.txt
\x64dbg\x32\CreateProcessPatch.exe
\x64dbg\x32\DbgChildHookDLL.dll
\x64dbg\x32\NTDLLEntryPatch.exe
\x64dbg\x32\plugins\DbgChild.dp32
\x64dbg\x32\CPIDS\
\x64dbg\x64\CreateProcessPatch.exe
\x64dbg\x64\DbgChildHookDLL.dll
\x64dbg\x64\NTDLLEntryPatch.exe
\x64dbg\x64\plugins\DbgChild.dp64
\x64dbg\x64\CPIDS\
Hook Process Creation
- CreateProcessPatch.exe hooks ZwCreateUserProcess and loads DbgChildHookDLL.dll. There is a x86 version and x64 version of CreateProcessPatch.exe
Auto from x32dbg/x64dbg Hook Process Creation
- Toggle option to switch on or off the automatic hooking of the process creation. If it is off, then user must manually select Hook Process Creation at some point before child processes are spawned.
Clear x32|x64\CPIDS
- Clear all process id file entries from the x32\CPIDS or x64\CPIDS folder
Open x32|x64\CPIDS
- Opens in explorer the x32\CPIDS or x64\CPIDS folder
Create New Entry x32|x64\CPIDS
- Adds a new entry to the x32\CPIDS or x64\CPIDS folder
Patch NTDLL Entry
- Patches the ntdll.dll LdrInitializeThunk function.
Unpatch NTDLL Entry
- Unpatches the ntdll.dll LdrInitializeThunk if it has previously been patched
Auto From x32dbg|x64dbg Unpatch NTDLL Entry
- Toggle option to switch on or off the automatic unpatch of the NTDLL entry when 2nd x64dbg instance is launched for child process. If it is off, then user must manually select Unpatch NTDLL Entry in the 2nd x64dbg instance after it has launched
Launch NewProcessWatcher
- Starts NewProcessWatcher.exe which monitors the x32\CPIDS or x64\CPIDS folder for new process id files that are created by DbgChildHookDLL.dll when a child process is detected and is about to be spawned
Launch NewProcessWatcher With Old Processes
-
Launch from x32dbg|x64dbg NewProcessWatcher Without Ask
- Toggle option to switch on or off the automatic prompt to launch NewProcessWatcher. If on then when Hook Process Creation is selected, NewProcessWatcher will automatically launch. If off, then it will display a prompt asking user if they wish to launch NewProcessWatcher
Go to Hook Process Creation
- Shows in the x32dbg|x64dbg cpu disassembly window the location of the hook code
Go to NTDLL Patch
- Shows in the x32dbg|x64dbg cpu disassembly window the location of the ntdll.dll patch
Edit x32|x64 Suspended Command
- Opens x86_pre.unicode.txt or x64_pre.unicode.txt in notepad for editing
Edit x32|x64 Resumed Command
- Opens x86_post.unicode.txt or x64_post.unicode.txt in notepad for editing
Remote x32|x64 PID Hook Process Creation
- Asks for a process id to remotely hook process creation for
Remote x32|x64 PID Patch NTDLL Entry
- Asks for a process id to remotely patch the ntdll.dll LdrInitializeThunk function for
Remote x32|x64 PID Unpatch NTDLL Entry
- Asks for a process id to remotely unpatch the ntdll.dll LdrInitializeThunk if it has previously been patched
Open Logs
- Open log files
Clear Logs
- Clear log files
Auto From x32|x64 Open Logs
- Toggle option to switch on or off the automatic opening of the log file
Help
- Displays information on the usage of the plugin and its operations
Plugin Info By Dreg
- About dialog box showing information about this plugin