This project demonstrates a Proof of Concept (PoC) for obtaining the _EPROCESS address of any cmd and/or PowerShell in usermode by utilizing their respective conhost (or openconsole.exe in Windows 11).
Please refer to these three series to get more info about the development process of this project:
[1] Getting the _EPROCESS Address of ANY cmd/pwsh process in Ring 3 (1)
[2] Getting the _EPROCESS Address of ANY cmd/pwsh process in Ring 3 (2)
[3] Getting the _EPROCESS Address of ANY cmd/pwsh process in Ring 3 (3)
[+] Tested on Windows 7, 8, 10, and 11.
CMD
PWSH
This project is intended for educational and research purposes only. Usage of tools like cmdEPROC in any unauthorized or malicious activities is strictly prohibited. The developers are not responsible for any misuse or damage caused by the misuse of this software.