Dumping Process suspended time with Powershell | PowerShell | Page 1

visual mason Mar 27, 2024, 2:09 AM

#

probably depends on what specifically you want to get. There is likely a way to get each piece of information, just not all in the same place

#

oh running time

topaz patrol Mar 27, 2024, 2:11 AM

#

You could inspect win32_service CIM instance. win32_process might be helpful too.

visual mason Mar 27, 2024, 2:11 AM

#

yeah win32_process definitely has start time

#

suspended time I'm unsure about. Afaik that is a UWP thing only, are you sure you want that?

vapid plaza Mar 27, 2024, 5:57 AM

#

I agree, that's a UWP thing, have you ever seen a non-zero value for a service?

oak dawn Mar 27, 2024, 3:15 PM

#

Attackers don't suspend processes, they suspend their threads:

Get-Process |Where-Object { 
  $_.Threads.Count -and 
  $_.Name -notin 'SearchApp','ShellExperienceHost','SystemSettings' -and 
  -not(
    $_.Threads |? WaitReason -ne Suspended |Select -First 1
  )
}

oak dawn Mar 28, 2024, 1:51 PM

#

The same way I did above

#

Test whether $thread.WaitReason -eq 'Suspended'

#

Are you using Windows PowerShell, or PowerShell 7?

oak dawn Mar 28, 2024, 2:09 PM

#

Get-Process |Select Name,Id,@{Name='ThreadStatus';Expression={
  $susThreads = $_.Threads |Where-Object WaitReason -eq Suspended
  if($susThreads.Count){
    "$($PSStyle.Foreground.Red)Invalid (Thread ID: $($susThreads[0].Id) is suspended)$($PSStyle.Reset)"
  }
  else{
    "$($PSStyle.Foreground.Green)Valid$($PSStyle.Reset)"
  }
}}

#

"none of them were suspended manually" - I don't think you can distinguish between threads suspended by a kernel task vs a userspace request by looking at the thread info alone

#

Take a look at the python script that produced your previous screenshots - it might reveal how its filtering 🙂

#

Note that I'm only grabbing the TID of the first suspended thread, not all of them

#

You're most welcome

#

The service object has the PID of the hosting process

#

Why would that matter?

#

And?

#

You're looking for something according to a specific heuristic

#

I don't know what that means or why it's a problem

#

What does "Manipulated" mean?

#

For using services as input driver, try this:

Get-CimInstance Win32_Service |? State -eq 'Running' |ForEach-Object {
  $service = $_
  $hostingProcess = Get-Process -Id $service.ProcessId
  $suspendedThreads = $_.Threads |Where-Object WaitReason -eq Suspended
  
  [PSCustomObject]@{
    Service = $service.Name
    Process = $hostingProcess.Name
    ProcessId = $hostingProcess.Id
    ThreadStatus = $suspendedThreads.Count ? "$($PSStyle.Foreground.Red)Invalid (Thread ID: $($susThreads[0].Id) is suspended)$($PSStyle.Reset)" : "$($PSStyle.Foreground.Green)Valid$($PSStyle.Reset)"
  }
}

#

Restarting the machine?

#

Then it's obviously not the same process anymore 🙂

#

Stop, then start the service?

#

Processes aren't restartable, I think you might be confusing a couple of overlapping concepts here

#

Not if a new interactive logon session was started 10 minutes ago

#

It isn't easy 😛

#Dumping Process suspended time with Powershell