Detection of malicious thread suspension

What is claimed is: 1 . A computing apparatus, comprising: one or more logic elements comprising a security agent operable to: detect that a first process has launch a second process and placed the second process in a suspended state; detect that the first process has modified or attempted to modify the second process; classify the modification as potentially malicious; and take a remedial action. 2 . The computing apparatus of claim 1 , wherein the security agent is further operable to classify the modification as non-malicious, and permitting the first process to execute. 3 . The computing apparatus of claim 1 , wherein detecting that the first process has placed the second process in a suspended state comprises identifying a create-suspended flag. 4 . The computing apparatus of claim 1 , wherein detecting that the first process has placed the second process in a suspended state comprises detecting that a number-of-threads counter has been set to zero. 5 . The computing apparatus of claim 1 , wherein detecting that the first process has placed the second process in a suspended state comprises detecting that no “resume” instruction has been issued for the process. 6 . The computing apparatus of claim 1 , wherein detecting that the first process has placed the second process in a suspended state comprises inserting operating system hooks. 7 . The computing apparatus of claim 1 , wherein detecting that the first process has placed the second process in a suspended state comprises inserting application-level hooks. 8 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises determining that the first process has overwritten an entry point of the second process. 9 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises detecting that the first process has introduced a jump or branching instruction at or near an entry point of the second process. 10 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises detecting that the first process has created a remote thread on the second process. 11 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises detecting that the first process has modified an import address table. 12 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises providing an operating system or user-mode hook. 13 . The computing apparatus of claim 1 , wherein classifying the modification as potentially malicious comprises detecting that the first process has launched a plurality of processes that together effect a modification to the second process. 14 . One or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions for providing a security engine operable for: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. 15 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein detecting that the first process has placed the second process in a suspended state comprises identifying a create-suspended flag. 16 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein detecting that the first process has placed the second process in a suspended state comprises detecting that a number-of-threads counter has been set to zero. 17 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein detecting that the first process has placed the second process in a suspended state comprises detecting that no “resume” instruction has been issued for the process. 18 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein detecting that the first process has placed the second process in a suspended state comprises inserting operating system hooks. 19 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein detecting that the first process has placed the second process in a suspended state comprises inserting application-level hooks. 20 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein classifying the modification as potentially malicious comprises determining that the first process has overwritten an entry point of the second process. 21 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein classifying the modification as potentially malicious comprises detecting that the first process has introduced a jump or branching instruction at or near an entry point of the second process. 22 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein classifying the modification as potentially malicious comprises detecting that the first process has created a remote thread on the second process. 23 . The one or more tangible, non-transitory computer-readable storage mediums of claim 14 , wherein classifying the modification as potentially malicious comprises detecting that the first process has modified an import address table. 24 . A computer-executable method of providing a security agent, comprising: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. 25 . The method of claim 24 , wherein detecting that the first process has placed the second process in a suspended state comprises identifying a create-suspended flag.