Hi

I've got some malware i'm taking apart. It creates about four threads each called svchosts.exe which ARE NOT real svchosts.exe's. They are there own individual processes.

My problem is, I am trying to trace all the API calls the parent AND child processes are making. However all I can find is applications that will trace the parent process.

Once the malware parent process creates the new thread/process, the parent stops. Is there an application kind of like strace in linux that offers the "FORK" option to follow forks or new processes created by a parent process in Windows32?

The main thing it needs to do is follow new processes created by the parent and monitor there API calls.

Thanks.

You could try WinDbg .childdbg (Debug Child Processes)


There is a similar plugin for Olly, Modified Command Line Plugin by anonymouse. Unfortunately the latest version

http://www.woodmann.com/collaborative/tools/Modified_Command_Line_Plugin

doesn't contain the childdbg option, but it's open source and you could add the modification if desired, which is given here:

https://www.openrce.org/blog/view/1247/childdbg_added_to_my_modified_cmdline_plugin_for_ollydbg


If using Softice you could set a breakpoint on BaseProcessStart and it should break for each new process instance.

http://www.woodmann.com/forum/showthread.php?t=12613

There are probably some other tricks other people use as well.