Process management operations: ps list, ps kill, ps run, ps grep, ps suspend, ps resume.
List all running processes. Output columns: PID, PPID, session ID, owner (domain\user), architecture.
ps list
Terminate a process by PID. Optional exit code argument (defaults to 1 if omitted).
ps kill <PID> [exit_code]
Launch a new process. Supports default CreateProcess, credential-based launch (WithLogon), and token-based launch (WithToken), with optional PPID spoofing and stdout/stderr pipe capture.
ps run --command <cmd> [--pipe] [--ppid <PID>] [--state suspended] [--domain <domain> --username <user> --password <pass>] [--token <handle>]
--command <cmd>— Command line to execute (required)--pipe— Capture stdout/stderr via anonymous pipe--ppid <PID>— Spoof parent PID--state suspended— Launch process in suspended state--domain <domain>— Domain for CreateProcessWithLogon--username <user>— Username for CreateProcessWithLogon--password <pass>— Password for CreateProcessWithLogon--token <handle>— Token handle for CreateProcessWithToken
Inspect a process by PID. Output sections: token (owner, elevated flag, integrity level), modules (name, base address, entry point, size), command line, threads (TIDs).
ps grep <PID>
Suspend a process by PID.
ps suspend <PID>
Resume a suspended process by PID.
ps resume <PID>