From 6aca5067154cf0c7607675e6d44a715af62b3d1b Mon Sep 17 00:00:00 2001 From: wesmar Date: Thu, 16 Oct 2025 23:31:18 +0200 Subject: [PATCH] Aktualizacja: 2025-10-16 23:31:18 --- kvc/DefenderManager.cpp | 180 +++----------------------------------- kvc/Kvc.cpp | 99 ++++----------------- kvc/KvcDrv.cpp | 189 ++++------------------------------------ 3 files changed, 46 insertions(+), 422 deletions(-) diff --git a/kvc/DefenderManager.cpp b/kvc/DefenderManager.cpp index e9e7506..6929ddd 100644 --- a/kvc/DefenderManager.cpp +++ b/kvc/DefenderManager.cpp @@ -1,14 +1,4 @@ -/** - * @file DefenderManager.cpp - * @brief Implementation of Windows Defender Security Engine management - * @author Marek Wesolowski - * @date 2025 - * @copyright KVC Framework - * - * Implements registry-level manipulation of Windows Defender service dependencies. - * Provides atomic operations for enabling/disabling the security engine by modifying - * RPC service dependencies in the Windows registry. - */ +// Implementation of Windows Defender Security Engine management #include "DefenderManager.h" #include "common.h" @@ -26,47 +16,21 @@ extern void SetColor(int color); // PUBLIC INTERFACE IMPLEMENTATION // ============================================================================ -/** - * @brief Disables Windows Defender security engine - * - * Implementation details: - * 1. Calls ModifySecurityEngine(false) to perform registry manipulation - * 2. Provides user feedback through console output - * - * @return bool true if Defender successfully disabled, false on failure - */ +// Disables Windows Defender security engine by modifying registry dependencies bool DefenderManager::DisableSecurityEngine() noexcept { std::wcout << L"Disabling Windows Security Engine...\n"; return ModifySecurityEngine(false); } -/** - * @brief Enables Windows Defender security engine - * - * Implementation details: - * 1. Calls ModifySecurityEngine(true) to perform registry manipulation - * 2. Provides user feedback through console output - * - * @return bool true if Defender successfully enabled, false on failure - */ +// Enables Windows Defender security engine by modifying registry dependencies bool DefenderManager::EnableSecurityEngine() noexcept { std::wcout << L"Enabling Windows Security Engine...\n"; return ModifySecurityEngine(true); } -/** - * @brief Queries current Windows Defender security engine state - * - * Detection logic: - * 1. Opens Windows Defender service registry key (read-only) - * 2. Reads DependOnService REG_MULTI_SZ value - * 3. Searches for RpcSs (enabled) or RpcSt (disabled) in dependencies - * 4. Returns ENABLED if RpcSs found, DISABLED if RpcSt found, UNKNOWN otherwise - * - * @return SecurityState Current state of Windows Defender security engine - */ +// Queries current Windows Defender state by checking RpcSs (enabled) or RpcSt (disabled) in service dependencies DefenderManager::SecurityState DefenderManager::GetSecurityEngineStatus() noexcept { try { @@ -98,21 +62,7 @@ DefenderManager::SecurityState DefenderManager::GetSecurityEngineStatus() noexce // CORE OPERATIONS IMPLEMENTATION // ============================================================================ -/** - * @brief Core registry manipulation logic for enable/disable operations - * - * Atomic operation sequence: - * 1. Enable required privileges (SE_BACKUP_NAME, SE_RESTORE_NAME, SE_LOAD_DRIVER_NAME) - * 2. Create registry snapshot of Services hive to temp file - * 3. Modify Windows Defender dependencies in temp registry - * 4. Restore modified registry snapshot to live system - * - * @param enable true to enable Defender (RpcSt→RpcSs), false to disable (RpcSs→RpcSt) - * @return bool true if all operations successful, false on any failure - * - * @note All operations are atomic - partial failure results in rollback - * @note Provides detailed console feedback for each step - */ +// Core registry manipulation logic - creates snapshot, modifies dependencies, and restores atomically bool DefenderManager::ModifySecurityEngine(bool enable) noexcept { try { @@ -151,23 +101,7 @@ bool DefenderManager::ModifySecurityEngine(bool enable) noexcept } } -/** - * @brief Creates temporary registry snapshot for atomic modifications - * - * Process: - * 1. Get system temp path (Windows\temp) - * 2. Validate write access to temp directory - * 3. Clean up any existing Services.hiv file - * 4. Unload any existing HKLM\Temp registry hive - * 5. Save HKLM\SYSTEM\CurrentControlSet\Services to Services.hiv - * 6. Load Services.hiv as HKLM\Temp for modification - * - * @param ctx [out] Registry context populated with temp paths and hive file - * @return bool true if snapshot created successfully, false on failure - * - * @note Uses REG_LATEST_FORMAT for maximum compatibility - * @note Cleans up existing temp hives to prevent conflicts - */ +// Creates temporary registry snapshot by saving Services hive to temp file and loading as HKLM\Temp bool DefenderManager::CreateRegistrySnapshot(RegistryContext& ctx) noexcept { ctx.tempPath = ::GetSystemTempPath(); @@ -221,24 +155,7 @@ bool DefenderManager::CreateRegistrySnapshot(RegistryContext& ctx) noexcept return true; } -/** - * @brief Modifies Windows Defender service dependencies in temp registry - * - * Modification logic: - * 1. Opens HKLM\Temp\WinDefend key (loaded from snapshot) - * 2. Reads DependOnService REG_MULTI_SZ value - * 3. Transforms RPC service dependency: - * - Enable: RpcSt (inactive stub) → RpcSs (active service) - * - Disable: RpcSs (active service) → RpcSt (inactive stub) - * 4. Writes modified dependencies back to temp registry - * - * @param ctx Registry context with loaded temp hive - * @param enable true to enable Defender, false to disable - * @return bool true if dependency modification successful, false on failure - * - * @note Operates only on temp registry (HKLM\Temp), not live system - * @note Automatically closes registry key handle on exit - */ +// Modifies Windows Defender service dependencies in temp registry by transforming RpcSs↔RpcSt bool DefenderManager::ModifyDefenderDependencies(const RegistryContext& ctx, bool enable) noexcept { HKEY tempKey; @@ -275,22 +192,7 @@ bool DefenderManager::ModifyDefenderDependencies(const RegistryContext& ctx, boo return true; } -/** - * @brief Restores modified registry snapshot to live system registry - * - * Restoration process: - * 1. Unload temporary HKLM\Temp registry hive (modified snapshot) - * 2. Open HKLM\SYSTEM\CurrentControlSet\Services key with write access - * 3. Restore modified hive file using RegRestoreKeyW with force flag - * 4. Close registry key handle - * - * @param ctx Registry context with modified hive file path - * @return bool true if restore successful, false on failure - * - * @warning This operation permanently modifies the live system registry - * @note Uses REG_FORCE_RESTORE to overwrite existing registry data - * @note Warnings about failed unload are informational only (non-critical) - */ +// Restores modified registry snapshot to live system by unloading temp hive and forcing restore bool DefenderManager::RestoreRegistrySnapshot(const RegistryContext& ctx) noexcept { // Unload temporary registry hive @@ -320,19 +222,7 @@ bool DefenderManager::RestoreRegistrySnapshot(const RegistryContext& ctx) noexce // PRIVILEGE MANAGEMENT IMPLEMENTATION // ============================================================================ -/** - * @brief Enables all required privileges for registry operations - * - * Required privileges: - * - SE_BACKUP_NAME: Allows reading registry hives (RegSaveKeyExW) - * - SE_RESTORE_NAME: Allows writing registry hives (RegRestoreKeyW) - * - SE_LOAD_DRIVER_NAME: Allows loading/unloading registry hives (RegLoadKeyW/RegUnLoadKeyW) - * - * @return bool true if all three privileges enabled successfully, false if any fails - * - * @note All three privileges must be enabled for registry snapshot operations - * @note Failure of any single privilege causes entire operation to fail - */ +// Enables SE_BACKUP_NAME, SE_RESTORE_NAME and SE_LOAD_DRIVER_NAME privileges required for registry operations bool DefenderManager::EnableRequiredPrivileges() noexcept { return PrivilegeUtils::EnablePrivilege(SE_BACKUP_NAME) && @@ -344,25 +234,7 @@ bool DefenderManager::EnableRequiredPrivileges() noexcept // HELPER UTILITIES IMPLEMENTATION // ============================================================================ -/** - * @brief Reads REG_MULTI_SZ registry value as string vector - * - * Reading process: - * 1. Query value type and size using RegQueryValueExW (initial call) - * 2. Validate value is REG_MULTI_SZ type - * 3. Allocate buffer for value data - * 4. Read value data into buffer - * 5. Parse null-terminated strings from buffer - * 6. Return vector of strings (empty vector on failure) - * - * @param key Open registry key handle with KEY_READ access - * @param valueName Name of REG_MULTI_SZ value to read - * @return std::vector Vector of strings, empty if value doesn't exist or wrong type - * - * @note Returns empty vector if value is wrong type or doesn't exist - * @note Properly handles null-terminated string array format - * @note Does not close registry key handle (caller's responsibility) - */ +// Reads REG_MULTI_SZ registry value as string vector by parsing null-terminated strings vector DefenderManager::ReadMultiString(HKEY key, const wstring& valueName) noexcept { DWORD type, size; @@ -388,23 +260,7 @@ vector DefenderManager::ReadMultiString(HKEY key, const wstring& valueN return result; } -/** - * @brief Writes string vector to REG_MULTI_SZ registry value - * - * Writing process: - * 1. Create buffer for null-terminated string array - * 2. Copy each string to buffer with null terminator - * 3. Add final double null terminator - * 4. Write buffer to registry using RegSetValueExW - * - * @param key Open registry key handle with KEY_WRITE access - * @param valueName Name of REG_MULTI_SZ value to write - * @param values Vector of strings to write - * @return bool true if write successful, false on failure - * - * @note Properly formats with double null terminator (REG_MULTI_SZ requirement) - * @note Does not close registry key handle (caller's responsibility) - */ +// Writes string vector to REG_MULTI_SZ registry value with proper double null terminator bool DefenderManager::WriteMultiString(HKEY key, const wstring& valueName, const vector& values) noexcept { @@ -425,19 +281,7 @@ bool DefenderManager::WriteMultiString(HKEY key, const wstring& valueName, // REGISTRY CONTEXT CLEANUP IMPLEMENTATION // ============================================================================ -/** - * @brief Cleans up temporary registry files and transaction logs - * - * Cleanup targets: - * 1. Main hive file (Services.hiv) - * 2. Transaction logs (Services.hiv.LOG1, Services.hiv.LOG2) - * 3. Binary log file (Services.hiv.blf) - * 4. Registry transaction files (*.regtrans-ms in temp directory) - * - * @note Safe to call multiple times (idempotent operation) - * @note Ignores errors during cleanup (best-effort cleanup) - * @note Called automatically by RegistryContext destructor - */ +// Cleans up temporary registry files including hive, transaction logs and regtrans-ms files void DefenderManager::RegistryContext::Cleanup() noexcept { if (hiveFile.empty()) return; diff --git a/kvc/Kvc.cpp b/kvc/Kvc.cpp index 30f3f82..8e83c63 100644 --- a/kvc/Kvc.cpp +++ b/kvc/Kvc.cpp @@ -1,19 +1,4 @@ -/** - * @file kvc.cpp - * @brief Kernel Vulnerability Capabilities Framework - Main Application Entry Point - * @author Marek Wesolowski - * @date 2025 - * @copyright KVC Framework - * - * Main command-line interface for the KVC framework providing: - * - Process protection manipulation (PP/PPL) - * - Memory dumping operations - * - Browser password extraction - * - Windows Defender management - * - Registry operations - * - System service integration - * - TrustedInstaller privilege escalation - */ +// Kernel Vulnerability Capabilities Framework - Main Application Entry Point #include "common.h" #include "Controller.h" @@ -33,10 +18,10 @@ // GLOBAL STATE // ============================================================================ -/** @brief Global controller instance for driver and system operations */ +// Global controller instance for driver and system operations std::unique_ptr g_controller; -/** @brief Signal handler flag for graceful shutdown */ +// Signal handler flag for graceful shutdown volatile bool g_interrupted = false; // ============================================================================ @@ -54,13 +39,7 @@ bool InitiateSystemRestart() noexcept; // SIGNAL HANDLERS // ============================================================================ -/** - * @brief Emergency signal handler for Ctrl+C interruption - * - * Ensures proper driver cleanup on emergency exit to prevent system instability. - * - * @param signum Signal number (SIGINT) - */ +// Emergency signal handler for Ctrl+C - ensures proper driver cleanup to prevent system instability void SignalHandler(int signum) { if (signum == SIGINT) { @@ -75,15 +54,7 @@ void SignalHandler(int signum) // HELPER FUNCTIONS // ============================================================================ -/** - * @brief Robust PID parsing with comprehensive validation - * - * @param pidStr String view containing PID value - * @return std::optional Parsed PID or nullopt on invalid input - * - * @note Uses std::from_chars for efficient and safe parsing - * @note Rejects non-ASCII characters - */ +// Robust PID parsing with validation using std::from_chars, rejects non-ASCII characters std::optional ParsePid(std::wstring_view pidStr) noexcept { if (pidStr.empty()) return std::nullopt; @@ -106,12 +77,7 @@ std::optional ParsePid(std::wstring_view pidStr) noexcept std::make_optional(result) : std::nullopt; } -/** - * @brief Checks if string contains only digits - * - * @param str String to validate - * @return bool true if string is purely numeric - */ +// Checks if string contains only digits bool IsNumeric(std::wstring_view str) noexcept { if (str.empty()) return false; @@ -124,14 +90,7 @@ bool IsNumeric(std::wstring_view str) noexcept return true; } -/** - * @brief Recognizes various help flag formats for user convenience - * - * Supports: /?, /help, /h, -?, -help, -h, --help, --h, help, ? - * - * @param arg Argument to check - * @return bool true if argument is a help flag - */ +// Recognizes various help flag formats: /?, /help, /h, -?, -help, -h, --help, --h, help, ? bool IsHelpFlag(std::wstring_view arg) noexcept { if (arg == L"/?" || arg == L"/help" || arg == L"/h") @@ -149,11 +108,7 @@ bool IsHelpFlag(std::wstring_view arg) noexcept return false; } -/** - * @brief Checks if kvc_pass.exe exists in current directory or System32 - * - * @return bool true if kvc_pass.exe is found - */ +// Checks if kvc_pass.exe exists in current directory or System32 bool CheckKvcPassExists() noexcept { // Check current directory @@ -170,13 +125,7 @@ bool CheckKvcPassExists() noexcept return false; } -/** - * @brief Initiates system restart with proper privilege escalation - * - * Used after security engine changes that require reboot. - * - * @return bool true if restart initiated successfully - */ +// Initiates system restart with SE_SHUTDOWN_NAME privilege for security engine changes bool InitiateSystemRestart() noexcept { HANDLE token; @@ -211,11 +160,7 @@ bool InitiateSystemRestart() noexcept SHTDN_REASON_MAJOR_SOFTWARE | SHTDN_REASON_MINOR_RECONFIGURE) != 0; } -/** - * @brief Emergency cleanup for driver resources - * - * Called on exit or Ctrl+C to prevent system instability. - */ +// Emergency cleanup for driver resources - called on exit or Ctrl+C void CleanupDriver() noexcept { if (g_controller) { @@ -227,23 +172,7 @@ void CleanupDriver() noexcept // MAIN APPLICATION ENTRY POINT // ============================================================================ -/** - * @brief Main application entry point with comprehensive command handling - * - * Supported commands: - * - Service management: install, uninstall, service - * - Process operations: list, protect, unprotect, set, dump, kill - * - Browser extraction: browser-passwords, bp, export - * - System integration: trusted, install-context, add-exclusion - * - Security operations: shift, unshift, disable-defender, enable-defender - * - Registry: registry backup/restore/defrag - * - Session management: restore, history, cleanup-sessions - * - Advanced: setup, evtclear - * - * @param argc Argument count - * @param argv Argument vector - * @return int Exit code (0=success, 1=error, 2=operation failed, 3=exception) - */ +// Main entry point with comprehensive command handling for service management, process operations, browser extraction, security operations and more int wmain(int argc, wchar_t* argv[]) { // Install signal handler for emergency cleanup on Ctrl+C @@ -510,7 +439,7 @@ int wmain(int argc, wchar_t* argv[]) } } - else if (command == L"get") { + else if (command == L"get") { if (argc < 3) { ERROR(L"Missing PID/process name argument"); return 1; @@ -977,7 +906,8 @@ int wmain(int argc, wchar_t* argv[]) return g_controller->AddToDefenderExclusions(path) ? 0 : 2; } } - else if (command == L"remove-exclusion") { + + else if (command == L"remove-exclusion") { // Legacy: no args = remove self if (argc < 3) { wchar_t exePath[MAX_PATH]; @@ -1012,6 +942,7 @@ int wmain(int argc, wchar_t* argv[]) return g_controller->RemoveFromDefenderExclusions(path) ? 0 : 2; } } + else if (command == L"disable-defender") { INFO(L"Disabling Windows Defender (requires restart)..."); bool result = DefenderManager::DisableSecurityEngine(); diff --git a/kvc/KvcDrv.cpp b/kvc/KvcDrv.cpp index be73e86..ded38f0 100644 --- a/kvc/KvcDrv.cpp +++ b/kvc/KvcDrv.cpp @@ -1,13 +1,4 @@ -/** - * @file kvcDrv.cpp - * @brief KVC kernel driver communication implementation - * @author Marek Wesolowski - * @date 2025 - * @copyright KVC Framework - * - * Implements low-level IOCTL communication with the KVC kernel driver - * for safe memory read/write operations in kernel space. - */ +// KVC kernel driver communication implementation- Implements low-level IOCTL communication with the KVC kernel driver #include "kvcDrv.h" #include "common.h" @@ -16,24 +7,20 @@ // IOCTL COMMAND CODES (DRIVER-SPECIFIC) // ============================================================================ -/** @brief IOCTL code for kernel memory read operations */ +// IOCTL code for kernel memory read operations constexpr DWORD RTC_IOCTL_MEMORY_READ = 0x80002048; -/** @brief IOCTL code for kernel memory write operations */ +// IOCTL code for kernel memory write operations constexpr DWORD RTC_IOCTL_MEMORY_WRITE = 0x8000204c; // ============================================================================ // CONSTRUCTION AND DESTRUCTION // ============================================================================ -/** - * @brief Default constructor - initializes empty driver object - */ +// Default constructor - initializes empty driver object kvc::kvc() = default; -/** - * @brief Destructor - ensures proper resource cleanup - */ +// Destructor - ensures proper resource cleanup kvc::~kvc() { Cleanup(); @@ -43,17 +30,7 @@ kvc::~kvc() // DRIVER CONNECTION MANAGEMENT // ============================================================================ -/** - * @brief Cleans up driver resources with proper flushing - * - * Performs orderly shutdown: - * 1. Flushes file buffers to ensure all pending operations complete - * 2. Resets smart handle (automatically calls CloseHandle) - * 3. Clears device name - * - * @note Safe to call multiple times - idempotent operation - * @note Critical for system stability - prevents hanging IOCTL operations - */ +// Cleans up driver resources by flushing buffers, closing handle and clearing device name void kvc::Cleanup() noexcept { DEBUG(L"kvc::Cleanup() called"); @@ -72,32 +49,13 @@ void kvc::Cleanup() noexcept DEBUG(L"kvc cleanup completed"); } -/** - * @brief Checks if driver connection is active - * - * @return bool true if device handle is valid and not INVALID_HANDLE_VALUE - */ +// Checks if driver connection is active bool kvc::IsConnected() const noexcept { return m_deviceHandle && m_deviceHandle.get() != INVALID_HANDLE_VALUE; } -/** - * @brief Establishes connection to KVC kernel driver - * - * Connection sequence: - * 1. Checks if already connected (idempotent) - * 2. Constructs device name from service name - * 3. Initializes dynamic APIs for CreateFileW - * 4. Opens device handle with read/write access - * 5. Wraps raw handle in smart pointer for RAII - * - * @return bool true if driver device opened successfully - * - * @note Does NOT perform test operations - just opens device - * @note Silently fails if driver not loaded (expected behavior) - * @note Requires dynamic API initialization for CreateFileW - */ +// Establishes connection to KVC kernel driver by opening device handle with read/write access bool kvc::Initialize() noexcept { // Idempotent check - return early if already connected @@ -145,14 +103,7 @@ bool kvc::Initialize() noexcept // MEMORY READ OPERATIONS (TYPE-SAFE WRAPPERS) // ============================================================================ -/** - * @brief Reads 8-bit value from kernel memory - * - * @param address Target kernel address - * @return std::optional Read value or nullopt on failure - * - * @note Extracts lowest byte from 32-bit read result - */ +// Reads 8-bit value from kernel memory by extracting lowest byte from 32-bit read std::optional kvc::Read8(ULONG_PTR address) noexcept { auto value = Read32(address); @@ -162,14 +113,7 @@ std::optional kvc::Read8(ULONG_PTR address) noexcept return static_cast(value.value() & 0xFF); } -/** - * @brief Reads 16-bit value from kernel memory - * - * @param address Target kernel address - * @return std::optional Read value or nullopt on failure - * - * @note Extracts lowest 2 bytes from 32-bit read result - */ +// Reads 16-bit value from kernel memory by extracting lowest 2 bytes from 32-bit read std::optional kvc::Read16(ULONG_PTR address) noexcept { auto value = Read32(address); @@ -179,30 +123,13 @@ std::optional kvc::Read16(ULONG_PTR address) noexcept return static_cast(value.value() & 0xFFFF); } -/** - * @brief Reads 32-bit value from kernel memory - * - * @param address Target kernel address - * @return std::optional Read value or nullopt on failure - * - * @note Direct call to low-level Read() function - */ +// Reads 32-bit value from kernel memory via direct IOCTL call std::optional kvc::Read32(ULONG_PTR address) noexcept { return Read(address, sizeof(DWORD)); } -/** - * @brief Reads 64-bit value from kernel memory - * - * @param address Target kernel address - * @return std::optional Read value or nullopt on failure - * - * @note Performs two 32-bit reads and combines them: - * - Low DWORD at address - * - High DWORD at address + 4 - * @note Both reads must succeed for operation to succeed - */ +// Reads 64-bit value from kernel memory by performing two 32-bit reads and combining them std::optional kvc::Read64(ULONG_PTR address) noexcept { auto low = Read32(address); @@ -216,16 +143,7 @@ std::optional kvc::Read64(ULONG_PTR address) noexcept return (static_cast(high.value()) << 32) | low.value(); } -/** - * @brief Reads pointer-sized value from kernel memory - * - * @param address Target kernel address - * @return std::optional Read value or nullopt on failure - * - * @note Platform-dependent: - * - x64: Uses Read64 - * - x86: Uses Read32 - */ +// Reads pointer-sized value from kernel memory (64-bit on x64, 32-bit on x86) std::optional kvc::ReadPtr(ULONG_PTR address) noexcept { #ifdef _WIN64 @@ -247,63 +165,25 @@ std::optional kvc::ReadPtr(ULONG_PTR address) noexcept // MEMORY WRITE OPERATIONS (TYPE-SAFE WRAPPERS) // ============================================================================ -/** - * @brief Writes 8-bit value to kernel memory - * - * @param address Target kernel address - * @param value Value to write - * @return bool true if write successful - * - * @warning Kernel memory writes can cause system instability - */ +// Writes 8-bit value to kernel memory (WARNING: can cause system instability) bool kvc::Write8(ULONG_PTR address, BYTE value) noexcept { return Write(address, sizeof(value), value); } -/** - * @brief Writes 16-bit value to kernel memory - * - * @param address Target kernel address - * @param value Value to write - * @return bool true if write successful - * - * @warning Kernel memory writes can cause system instability - */ +// Writes 16-bit value to kernel memory (WARNING: can cause system instability) bool kvc::Write16(ULONG_PTR address, WORD value) noexcept { return Write(address, sizeof(value), value); } -/** - * @brief Writes 32-bit value to kernel memory - * - * @param address Target kernel address - * @param value Value to write - * @return bool true if write successful - * - * @warning Kernel memory writes can cause system instability - */ +// Writes 32-bit value to kernel memory (WARNING: can cause system instability) bool kvc::Write32(ULONG_PTR address, DWORD value) noexcept { return Write(address, sizeof(value), value); } -/** - * @brief Writes 64-bit value to kernel memory - * - * @param address Target kernel address - * @param value Value to write - * @return bool true if write successful - * - * @note Performs two 32-bit writes: - * - Low DWORD at address - * - High DWORD at address + 4 - * @note Both writes must succeed for operation to succeed - * - * @warning Kernel memory writes can cause system instability - * @warning Non-atomic operation - system may observe partial write - */ +// Writes 64-bit value to kernel memory via two 32-bit writes (WARNING: non-atomic, can cause system instability) bool kvc::Write64(ULONG_PTR address, DWORD64 value) noexcept { DWORD low = static_cast(value & 0xFFFFFFFF); @@ -317,22 +197,7 @@ bool kvc::Write64(ULONG_PTR address, DWORD64 value) noexcept // LOW-LEVEL IOCTL COMMUNICATION // ============================================================================ -/** - * @brief Low-level kernel memory read via IOCTL - * - * Communication sequence: - * 1. Ensures driver connection is initialized - * 2. Constructs RTC_MEMORY_READ request structure - * 3. Sends IOCTL_MEMORY_READ command to driver - * 4. Extracts returned value from response - * - * @param address Kernel address to read from - * @param valueSize Size of value to read (1/2/4 bytes) - * @return std::optional Read value or nullopt on failure - * - * @note Uses aligned structure for IOCTL communication - * @note Driver returns value in response structure - */ +// Low-level kernel memory read via IOCTL using aligned RTC_MEMORY_READ structure std::optional kvc::Read(ULONG_PTR address, DWORD valueSize) noexcept { // Construct read request with proper alignment @@ -369,23 +234,7 @@ std::optional kvc::Read(ULONG_PTR address, DWORD valueSize) noexcept return memoryRead.Value; } -/** - * @brief Low-level kernel memory write via IOCTL - * - * Communication sequence: - * 1. Ensures driver connection is initialized - * 2. Constructs RTC_MEMORY_WRITE request structure - * 3. Sends IOCTL_MEMORY_WRITE command to driver - * 4. Checks for successful completion - * - * @param address Kernel address to write to - * @param valueSize Size of value to write (1/2/4 bytes) - * @param value Value to write - * @return bool true if write successful - * - * @note Uses aligned structure for IOCTL communication - * @warning Kernel writes can cause BSOD if address is invalid - */ +// Low-level kernel memory write via IOCTL (WARNING: can cause BSOD if address is invalid) bool kvc::Write(ULONG_PTR address, DWORD valueSize, DWORD value) noexcept { // Construct write request with proper alignment