Finding which command PowerShell is running using Windows API

Question

Finding which command PowerShell is running using Windows API

Parth Gupta 180

Hi,

I'm working on a final year project to detect malicious use of PowerShell and command prompt on Windows. I'm having trouble finding the appropriate Windows API to accomplish this.

I have successfully used the CreateToolhelp32Snapshot API to list all processes and then iterated over them to find the PID of PowerShell.exe. However, I am now trying to use the GetModuleFileNameEx API after OpenProcess API to determine which command PowerShell is running. For example, I want to know that the command it is running isdir or any other.

Can you please advise me on which API to use for this task?

Thanks

Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2023-10-16T02:20:21.9233333+00:00

The body of the command that PowerShell is executing is stored in the CommandLine property of the Win32_Process class.

For more details, I suggest you coudl refer to the Doc:

View the process

How do I get the command line of another process?
Parth Gupta 180 Reputation points

2023-10-16T10:19:53.4433333+00:00

Hi @Jeanine Zhang-MSFT , thanks for the reference, although I am looking for a Windows API way of doing it. Would you suggest automating the commands given in the reference using C++?
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2023-10-23T08:13:59.1966667+00:00

You could try to use WMI to realize it. May I know if you have got any chance to check Castorix31's answer?
RLWA32 52,571 Reputation points

2023-10-23T08:50:02.1066667+00:00

@Parth Gupta, In addition to WMI you could also use Windows API functions like OpenProcess and ReadProcessMemory to obtain the command line that is stored in the PowerShell process RTL_USER_PROCESS_PARAMETERS structure. If it is Base64 encoded the ATL function Base64Decode could be used.

Elevated privilege as Administrator would be needed to obtain the command line from a PowerShell process that is running under an account that is different from that of your application or is running at a higher integrity level.

1 answer

Your answer

Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2023-10-16T02:20:21.9233333+00:00

The body of the command that PowerShell is executing is stored in the CommandLine property of the Win32_Process class.

For more details, I suggest you coudl refer to the Doc:

View the process

How do I get the command line of another process?
Parth Gupta 180 Reputation points

2023-10-16T10:19:53.4433333+00:00

Hi @Jeanine Zhang-MSFT , thanks for the reference, although I am looking for a Windows API way of doing it. Would you suggest automating the commands given in the reference using C++?
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2023-10-23T08:13:59.1966667+00:00

You could try to use WMI to realize it. May I know if you have got any chance to check Castorix31's answer?
RLWA32 52,571 Reputation points

2023-10-23T08:50:02.1066667+00:00

@Parth Gupta, In addition to WMI you could also use Windows API functions like OpenProcess and ReadProcessMemory to obtain the command line that is stored in the PowerShell process RTL_USER_PROCESS_PARAMETERS structure. If it is Base64 encoded the ATL function Base64Decode could be used.

Elevated privilege as Administrator would be needed to obtain the command line from a PowerShell process that is running under an account that is different from that of your application or is running at a higher integrity level.

Answer 1

To intercept a PowerShell command, like

powershell -Command dir

you can adapt the MSDN code from :

https://learn.microsoft.com/en-us/windows/win32/wmisdk/example--receiving-event-notifications-through-wmi-

In a Win32 app, I commented the code after Sleep(10000);, to let it running,

I updated the query :

  _bstr_t("SELECT * "
      "FROM __InstanceCreationEvent WITHIN 1 "
      "WHERE TargetInstance ISA 'Win32_Process' and TargetInstance.Name='powershell.exe'"),

and I updated :

HRESULT EventSink::Indicate(long lObjectCount, IWbemClassObject** apObjArray)
{
    HRESULT hr = S_OK;
    VARIANT vtTargetInstance;
    VARIANT vtTargetProp;
    for (int i = 0; i < lObjectCount; i++)
    {     
        hr = apObjArray[i]->Get(L"TargetInstance", 0, &vtTargetInstance, NULL, NULL);
        if (SUCCEEDED(hr))
        {
            IWbemClassObject* pTargetInstance = NULL;
            hr = vtTargetInstance.punkVal->QueryInterface(IID_IWbemClassObject, reinterpret_cast<void**>(&pTargetInstance));
            if (SUCCEEDED(hr))
            {              
                hr = pTargetInstance->Get(L"CommandLine", 0, &vtTargetProp, NULL, NULL);
                if (SUCCEEDED(hr))
                {
                    WCHAR wsProp[512] = L"";
                    lstrcpy(wsProp, vtTargetProp.bstrVal);

                    // Command Line : "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -Command dir
                    WCHAR wsText[1024] = L"";
                    wsprintf(wsText, L"Command Line : %s\r\n", wsProp);
                    OutputDebugString(wsText);
                    VariantClear(&vtTargetProp);
                }
                pTargetInstance->Release();
                pTargetInstance = NULL;
            }
            VariantClear(&vtTargetInstance);
        }      
    }
    return WBEM_S_NO_ERROR;
}

Share via

Finding which command PowerShell is running using Windows API

1 answer

Your answer