admin/kvc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Aktualizacja: 2025-09-23 22:13:43

Browse Source
This commit is contained in:
wesmar
2025-09-23 22:13:43 +02:00
parent 5b72aaf1f9
commit 7e1640f447
26 changed files with 994 additions and 794 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
kvc/BrowserOrchestrator.cpp
View File

@@ -1,29 +1,4 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// BrowserOrchestrator.cpp
// BrowserOrchestrator.cpp
#include <Windows.h>
#include <Rpc.h>
#include <iostream>

28
kvc/Controller.h
View File

@@ -7,6 +7,8 @@
#include <vector>
#include <memory>
#include <optional>
#include <chrono>
#include <unordered_map>
class ReportExporter;
@@ -103,6 +105,9 @@ public:
bool UnprotectAllProcesses() noexcept;
bool UnprotectMultipleProcesses(const std::vector<std::wstring>& targets) noexcept;
bool KillMultipleProcesses(const std::vector<DWORD>& pids) noexcept;
bool KillMultipleTargets(const std::vector<std::wstring>& targets) noexcept;
// Process termination with driver support
bool KillProcess(DWORD pid) noexcept;
@@ -189,6 +194,29 @@ private:
// Silent driver installation
bool InstallDriverSilently() noexcept;
bool RegisterDriverServiceSilent(const std::wstring& driverPath) noexcept;
// Driver session management
bool m_driverSessionActive = false;
std::chrono::steady_clock::time_point m_lastDriverUsage;
// Session management
bool BeginDriverSession();
void EndDriverSession(bool force = false);
void UpdateDriverUsageTimestamp();
// Cache management
void RefreshKernelAddressCache();
std::optional<ULONG_PTR> GetCachedKernelAddress(DWORD pid);
// Internal kill method for batch operations
bool KillProcessInternal(DWORD pid, bool batchOperation = false) noexcept;
// Kernel address cache for processes
std::unordered_map<DWORD, ULONG_PTR> m_kernelAddressCache;
std::chrono::steady_clock::time_point m_cacheTimestamp;
// Process list cache
std::vector<ProcessEntry> m_cachedProcessList;
// Internal kernel process management (implementation details)
std::optional<ULONG_PTR> GetInitialSystemProcessAddress() noexcept;

25
kvc/ControllerBinaryManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerBinaryManager.cpp - Fixed compilation issues
#include "Controller.h"
#include "common.h"

29
kvc/ControllerCore.cpp
View File

@@ -1,33 +1,9 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerCore.cpp
#include "Controller.h"
#include "common.h"
#include <algorithm>
#include "resource.h"
#include <algorithm>
#include <chrono>
extern volatile bool g_interrupted;
@@ -130,6 +106,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept {
bool Controller::EnsureDriverAvailable() noexcept {
// Phase 1: Check if the driver is already available (without testing)
ForceRemoveService();
Sleep(200);
if (IsDriverCurrentlyLoaded()) {
return true;
}

25
kvc/ControllerDriverManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerDriverManager.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerEventLogOperations.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "Controller.h"
#include "common.h"

25
kvc/ControllerMemoryOperations.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerMemoryOperations.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerPasswordManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "Controller.h"
#include "ReportExporter.h"
#include "common.h"

481
kvc/ControllerProcessOperations.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerProcessOperations.cpp
#include "Controller.h"
#include "common.h"
@@ -34,52 +9,209 @@ that define these protections.
extern volatile bool g_interrupted;
// Process termination with protection elevation and fallback mechanisms
bool Controller::KillProcess(DWORD pid) noexcept
{
// Try to get kernel address first - if driver already initialized, reuse it
auto kernelAddr = GetProcessKernelAddress(pid);
bool needsCleanup = false;
// Only initialize driver if not already loaded AND we couldn't get kernel address
if (!kernelAddr && !IsDriverCurrentlyLoaded()) {
if (!PerformAtomicInitWithErrorCleanup()) {
return false;
}
needsCleanup = true;
// Try again after driver initialization
kernelAddr = GetProcessKernelAddress(pid);
}
// If we still can't get kernel address, try direct termination without protection elevation
if (!kernelAddr) {
INFO(L"Could not get kernel address for target process, proceeding without self-protection");
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
if (!hProcess) {
DWORD error = GetLastError();
ERROR(L"Failed to open process for termination (error: %d)", error);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
BOOL terminated = TerminateProcess(hProcess, 1);
DWORD error = GetLastError();
CloseHandle(hProcess);
if (terminated) {
SUCCESS(L"Successfully terminated PID: %d (direct method)", pid);
if (needsCleanup) PerformAtomicCleanup();
return true;
} else {
ERROR(L"Failed to terminate process directly (error: %d)", error);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
// ============================================================================
// SESSION MANAGEMENT IMPLEMENTATION
// ============================================================================
bool Controller::BeginDriverSession() {
// If driver is already active and used recently, keep it active
if (m_driverSessionActive) {
auto timeSinceLastUse = std::chrono::steady_clock::now() - m_lastDriverUsage;
if (timeSinceLastUse < std::chrono::seconds(5)) {
UpdateDriverUsageTimestamp();
DEBUG(L"Reusing active driver session");
return true;
}
}
// Initialize driver component
if (!EnsureDriverAvailable()) {
ERROR(L"Failed to load driver for session");
return false;
}
m_driverSessionActive = true;
UpdateDriverUsageTimestamp();
DEBUG(L"Driver session started successfully");
return true;
}
void Controller::EndDriverSession(bool force) {
if (!m_driverSessionActive) return;
// Don't end session immediately if not forced - keep it alive for potential reuse
if (!force) {
auto timeSinceLastUse = std::chrono::steady_clock::now() - m_lastDriverUsage;
if (timeSinceLastUse < std::chrono::seconds(10)) {
DEBUG(L"Keeping driver session active for potential reuse");
return; // Keep session alive
}
}
// Force cleanup
DEBUG(L"Ending driver session (force: %s)", force ? L"true" : L"false");
PerformAtomicCleanup();
m_driverSessionActive = false;
m_kernelAddressCache.clear();
m_cachedProcessList.clear();
}
void Controller::UpdateDriverUsageTimestamp() {
m_lastDriverUsage = std::chrono::steady_clock::now();
}
void Controller::RefreshKernelAddressCache() {
DEBUG(L"Refreshing kernel address cache");
auto processes = GetProcessList();
m_kernelAddressCache.clear();
for (const auto& entry : processes) {
m_kernelAddressCache[entry.Pid] = entry.KernelAddress;
}
m_cacheTimestamp = std::chrono::steady_clock::now();
DEBUG(L"Kernel address cache refreshed with %d entries", m_kernelAddressCache.size());
}
std::optional<ULONG_PTR> Controller::GetCachedKernelAddress(DWORD pid) {
// Refresh cache if it's older than 30 seconds or empty
auto now = std::chrono::steady_clock::now();
if (m_kernelAddressCache.empty() ||
(now - m_cacheTimestamp) > std::chrono::seconds(30)) {
RefreshKernelAddressCache();
}
auto it = m_kernelAddressCache.find(pid);
if (it != m_kernelAddressCache.end()) {
DEBUG(L"Found cached kernel address for PID %d: 0x%llx", pid, it->second);
return it->second;
}
// PID not in cache, try to find it manually
DEBUG(L"PID %d not in cache, searching manually", pid);
auto processes = GetProcessList();
for (const auto& entry : processes) {
if (entry.Pid == pid) {
m_kernelAddressCache[pid] = entry.KernelAddress;
DEBUG(L"Added PID %d to kernel address cache: 0x%llx", pid, entry.KernelAddress);
return entry.KernelAddress;
}
}
ERROR(L"PID %d not found in process list", pid);
return std::nullopt;
}
// ============================================================================
// PROCESS TERMINATION OPERATIONS
// ============================================================================
bool Controller::KillProcess(DWORD pid) noexcept {
bool result = KillProcessInternal(pid, false);
EndDriverSession(true); // Force cleanup for single operations
return result;
}
bool Controller::KillMultipleProcesses(const std::vector<DWORD>& pids) noexcept {
if (pids.empty()) {
ERROR(L"No PIDs provided for batch operation");
return false;
}
if (!BeginDriverSession()) {
ERROR(L"Failed to start driver session for batch operation");
return false;
}
INFO(L"Starting batch kill operation for %d processes", pids.size());
DWORD successCount = 0;
for (DWORD pid : pids) {
INFO(L"Processing PID %d", pid);
if (KillProcessInternal(pid, true)) {
successCount++;
SUCCESS(L"Successfully terminated PID %d", pid);
} else {
ERROR(L"Failed to terminate PID %d", pid);
}
if (g_interrupted) {
INFO(L"Batch operation interrupted by user");
break;
}
}
EndDriverSession(false); // End session after batch operation
INFO(L"Batch operation completed: %d/%d processes terminated", successCount, pids.size());
return successCount > 0;
}
bool Controller::KillMultipleTargets(const std::vector<std::wstring>& targets) noexcept {
if (targets.empty()) return false;
if (!BeginDriverSession()) return false;
std::vector<DWORD> allPids;
for (const auto& target : targets) {
if (Utils::IsNumeric(target)) {
auto pid = Utils::ParsePid(target);
if (pid) allPids.push_back(pid.value());
} else {
auto matches = FindProcessesByName(target);
for (const auto& match : matches) {
allPids.push_back(match.Pid);
}
}
}
if (allPids.empty()) {
ERROR(L"No processes found matching the specified targets");
EndDriverSession(false);
return false;
}
INFO(L"Starting batch kill operation for %d resolved processes", allPids.size());
DWORD successCount = 0;
for (DWORD pid : allPids) {
INFO(L"Processing PID %d", pid);
if (KillProcessInternal(pid, true)) {
successCount++;
SUCCESS(L"Successfully terminated PID %d", pid);
} else {
ERROR(L"Failed to terminate PID %d", pid);
}
if (g_interrupted) {
INFO(L"Batch operation interrupted by user");
break;
}
}
// Always force cleanup for command-line operation
EndDriverSession(true);
INFO(L"Kill operation completed: %d/%d processes terminated", successCount, allPids.size());
return successCount > 0;
}
bool Controller::KillProcessInternal(DWORD pid, bool batchOperation) noexcept {
// Only start session if not batch operation (batch already started session)
if (!batchOperation && !BeginDriverSession()) {
ERROR(L"Failed to start driver session for PID %d", pid);
return false;
}
// Use cached kernel address if available
auto kernelAddr = GetCachedKernelAddress(pid);
if (!kernelAddr) {
ERROR(L"Failed to get kernel address for PID %d", pid);
return false;
}
// Get target process protection level for elevation
auto targetProtection = GetProcessProtection(kernelAddr.value());
if (targetProtection && targetProtection.value() > 0) {
@@ -111,7 +243,6 @@ bool Controller::KillProcess(DWORD pid) noexcept
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!hProcess) {
ERROR(L"Failed to open process with extended privileges (error: %d)", GetLastError());
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
@@ -122,19 +253,15 @@ bool Controller::KillProcess(DWORD pid) noexcept
if (terminated) {
SUCCESS(L"Successfully terminated PID: %d", pid);
if (needsCleanup) PerformAtomicCleanup();
return true;
} else {
ERROR(L"Failed to terminate PID: %d (error: %d)", pid, terminationError);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
// Optimized batch process termination with shared driver state
bool Controller::KillProcessByName(const std::wstring& processName) noexcept
{
if (!PerformAtomicInitWithErrorCleanup()) {
bool Controller::KillProcessByName(const std::wstring& processName) noexcept {
if (!BeginDriverSession()) {
return false;
}
@@ -142,7 +269,7 @@ bool Controller::KillProcessByName(const std::wstring& processName) noexcept
if (matches.empty()) {
ERROR(L"No process found matching pattern: %s", processName.c_str());
PerformAtomicCleanup();
EndDriverSession(true);
return false;
}
@@ -155,59 +282,30 @@ bool Controller::KillProcessByName(const std::wstring& processName) noexcept
INFO(L"Attempting to terminate process: %s (PID %d)",
match.ProcessName.c_str(), match.Pid);
// Use direct kernel address since we already have it from FindProcessesByName
auto targetProtection = GetProcessProtection(match.KernelAddress);
if (targetProtection && targetProtection.value() > 0) {
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
std::wstring levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ?
L"PP" : L"PPL";
INFO(L"Target process has %s-%s protection, elevating current process",
levelStr.c_str(),
Utils::GetSignerTypeAsString(targetSigner));
// Elevate current process protection to match or exceed target
UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner);
if (!SetCurrentProcessProtection(currentProcessProtection)) {
ERROR(L"Failed to elevate current process protection");
// Continue anyway - might still work
}
}
// Attempt termination with fallback approach
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, match.Pid);
if (!hProcess) {
DWORD error = GetLastError();
INFO(L"Failed to open with PROCESS_TERMINATE (error: %d), trying PROCESS_ALL_ACCESS", error);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, match.Pid);
if (!hProcess) {
ERROR(L"Failed to open process with any privileges (error: %d)", GetLastError());
continue;
}
}
BOOL terminated = TerminateProcess(hProcess, 1);
DWORD terminationError = GetLastError();
CloseHandle(hProcess);
if (terminated) {
// Use the internal kill method with batch operation flag
if (KillProcessInternal(match.Pid, true)) {
SUCCESS(L"Successfully terminated: %s (PID %d)",
match.ProcessName.c_str(), match.Pid);
successCount++;
} else {
ERROR(L"Failed to terminate PID: %d (error: %d)", match.Pid, terminationError);
ERROR(L"Failed to terminate PID: %d", match.Pid);
}
if (g_interrupted) {
INFO(L"Process termination interrupted by user");
break;
}
}
EndDriverSession(true);
INFO(L"Kill operation completed: %d/%d processes terminated", successCount, totalCount);
PerformAtomicCleanup();
return successCount > 0;
}
// Kernel process operations with interruption handling
// ============================================================================
// KERNEL PROCESS OPERATIONS
// ============================================================================
std::optional<ULONG_PTR> Controller::GetInitialSystemProcessAddress() noexcept {
auto kernelBase = Utils::GetKernelBaseAddress();
if (!kernelBase) return std::nullopt;
@@ -226,11 +324,10 @@ std::optional<ULONG_PTR> Controller::GetProcessKernelAddress(DWORD pid) noexcept
return entry.KernelAddress;
}
INFO(L"Kernel address not available for PID %d, initializing driver...", pid);
DEBUG(L"Kernel address not available for PID %d", pid);
return std::nullopt;
}
// Process enumeration with comprehensive interruption support
std::vector<ProcessEntry> Controller::GetProcessList() noexcept {
std::vector<ProcessEntry> processes;
@@ -346,9 +443,12 @@ bool Controller::SetProcessProtection(ULONG_PTR addr, UCHAR protection) noexcept
return m_rtc->Write8(addr + offset.value(), protection);
}
// Process name resolution with atomic driver operations
// ============================================================================
// PROCESS NAME RESOLUTION
// ============================================================================
std::optional<ProcessMatch> Controller::ResolveProcessName(const std::wstring& processName) noexcept {
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return std::nullopt;
}
@@ -356,13 +456,13 @@ std::optional<ProcessMatch> Controller::ResolveProcessName(const std::wstring& p
if (matches.empty()) {
ERROR(L"No process found matching pattern: %s", processName.c_str());
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return std::nullopt;
}
if (matches.size() == 1) {
INFO(L"Found process: %s (PID %d)", matches[0].ProcessName.c_str(), matches[0].Pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return matches[0];
}
@@ -371,7 +471,7 @@ std::optional<ProcessMatch> Controller::ResolveProcessName(const std::wstring& p
std::wcout << L" PID " << match.Pid << L": " << match.ProcessName << L"\n";
}
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return std::nullopt;
}
@@ -392,7 +492,10 @@ std::vector<ProcessMatch> Controller::FindProcessesByName(const std::wstring& pa
return matches;
}
// Driver-free process name resolution for lightweight operations
// ============================================================================
// DRIVER-FREE PROCESS OPERATIONS
// ============================================================================
std::optional<ProcessMatch> Controller::ResolveNameWithoutDriver(const std::wstring& processName) noexcept {
auto matches = FindProcessesByNameWithoutDriver(processName);
@@ -443,7 +546,10 @@ std::vector<ProcessMatch> Controller::FindProcessesByNameWithoutDriver(const std
return matches;
}
// Advanced pattern matching with regex support
// ============================================================================
// PATTERN MATCHING
// ============================================================================
bool Controller::IsPatternMatch(const std::wstring& processName, const std::wstring& pattern) noexcept {
std::wstring lowerProcessName = processName;
std::wstring lowerPattern = pattern;
@@ -481,30 +587,26 @@ bool Controller::IsPatternMatch(const std::wstring& processName, const std::wstr
}
}
// Process information retrieval with atomic operations
// ============================================================================
// PROCESS INFORMATION OPERATIONS
// ============================================================================
bool Controller::GetProcessProtection(DWORD pid) noexcept {
bool driverWasLoaded = IsDriverCurrentlyLoaded();
bool needsCleanup = false;
// Only initialize driver if not already loaded
if (!driverWasLoaded) {
if (!PerformAtomicInitWithErrorCleanup()) {
return false;
}
needsCleanup = true;
if (!BeginDriverSession()) {
return false;
}
auto kernelAddr = GetProcessKernelAddress(pid);
if (!kernelAddr) {
ERROR(L"Failed to get kernel address for PID %d", pid);
if (needsCleanup) PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
auto currentProtection = GetProcessProtection(kernelAddr.value());
if (!currentProtection) {
ERROR(L"Failed to read protection for PID %d", pid);
if (needsCleanup) PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
@@ -522,10 +624,7 @@ bool Controller::GetProcessProtection(DWORD pid) noexcept {
currentProtection.value());
}
if (needsCleanup) {
PerformAtomicCleanup();
}
EndDriverSession(true); // Force cleanup
return true;
}
@@ -538,9 +637,12 @@ bool Controller::GetProcessProtectionByName(const std::wstring& processName) noe
return GetProcessProtection(match->Pid);
}
// Enhanced protected process listing with color visualization
// ============================================================================
// PROTECTED PROCESS LISTING
// ============================================================================
bool Controller::ListProtectedProcesses() noexcept {
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return false;
}
@@ -611,69 +713,68 @@ bool Controller::ListProtectedProcesses() noexcept {
SUCCESS(L"Enumerated %d protected processes", count);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return true;
}
// Process protection manipulation with atomic operations
bool Controller::UnprotectProcess(DWORD pid) noexcept
{
if (!PerformAtomicInitWithErrorCleanup()) {
// ============================================================================
// PROCESS PROTECTION MANIPULATION
// ============================================================================
bool Controller::UnprotectProcess(DWORD pid) noexcept {
if (!BeginDriverSession()) {
return false;
}
auto kernelAddr = GetProcessKernelAddress(pid);
auto kernelAddr = GetCachedKernelAddress(pid);
if (!kernelAddr) {
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
auto currentProtection = GetProcessProtection(kernelAddr.value());
if (!currentProtection) {
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
if (currentProtection.value() == 0) {
ERROR(L"PID %d is not protected", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
if (!SetProcessProtection(kernelAddr.value(), 0)) {
ERROR(L"Failed to remove protection from PID %d", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
SUCCESS(L"Removed protection from PID %d", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return true;
}
bool Controller::ProtectProcess(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept {
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return false;
}
auto kernelAddr = GetProcessKernelAddress(pid);
auto kernelAddr = GetCachedKernelAddress(pid);
if (!kernelAddr) {
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
auto currentProtection = GetProcessProtection(kernelAddr.value());
if (!currentProtection) {
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
if (currentProtection.value() > 0) {
ERROR(L"PID %d is already protected", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
@@ -682,26 +783,24 @@ bool Controller::ProtectProcess(DWORD pid, const std::wstring& protectionLevel,
if (!level || !signer) {
ERROR(L"Invalid protection level or signer type");
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
UCHAR newProtection = Utils::GetProtection(level.value(), signer.value());
if (!SetProcessProtection(kernelAddr.value(), newProtection)) {
ERROR(L"Failed to protect PID %d", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
SUCCESS(L"Protected PID %d with %s-%s", pid, protectionLevel.c_str(), signerType.c_str());
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return true;
}
bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept {
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return false;
}
@@ -710,13 +809,13 @@ bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionL
if (!level || !signer) {
ERROR(L"Invalid protection level or signer type");
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
auto kernelAddr = GetProcessKernelAddress(pid);
auto kernelAddr = GetCachedKernelAddress(pid);
if (!kernelAddr) {
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
@@ -724,20 +823,21 @@ bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionL
if (!SetProcessProtection(kernelAddr.value(), newProtection)) {
ERROR(L"Failed to set protection on PID %d", pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return false;
}
SUCCESS(L"Set protection %s-%s on PID %d", protectionLevel.c_str(), signerType.c_str(), pid);
PerformAtomicCleanup();
EndDriverSession(true); // Force cleanup
return true;
}
// Mass protection removal operations
// ============================================================================
// MASS PROTECTION OPERATIONS
// ============================================================================
bool Controller::UnprotectAllProcesses() noexcept {
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return false;
}
@@ -757,6 +857,11 @@ bool Controller::UnprotectAllProcesses() noexcept {
} else {
ERROR(L"Failed to remove protection from PID %d (%s)", entry.Pid, entry.ProcessName.c_str());
}
if (g_interrupted) {
INFO(L"Mass unprotection interrupted by user");
break;
}
}
}
@@ -766,8 +871,7 @@ bool Controller::UnprotectAllProcesses() noexcept {
INFO(L"Mass unprotection completed: %d/%d processes successfully unprotected", successCount, totalCount);
}
PerformAtomicCleanup();
EndDriverSession(false);
return successCount == totalCount;
}
@@ -777,7 +881,7 @@ bool Controller::UnprotectMultipleProcesses(const std::vector<std::wstring>& tar
return false;
}
if (!PerformAtomicInitWithErrorCleanup()) {
if (!BeginDriverSession()) {
return false;
}
@@ -793,7 +897,7 @@ bool Controller::UnprotectMultipleProcesses(const std::vector<std::wstring>& tar
if (Utils::IsNumeric(target)) {
auto pid = Utils::ParsePid(target);
if (pid) {
auto kernelAddr = GetProcessKernelAddress(pid.value());
auto kernelAddr = GetCachedKernelAddress(pid.value());
if (kernelAddr) {
auto currentProtection = GetProcessProtection(kernelAddr.value());
if (currentProtection && currentProtection.value() > 0) {
@@ -838,12 +942,15 @@ bool Controller::UnprotectMultipleProcesses(const std::vector<std::wstring>& tar
INFO(L"Batch unprotection completed: %d/%d targets successfully processed", successCount, totalCount);
PerformAtomicCleanup();
EndDriverSession(false);
return successCount == totalCount;
}
// Process name-based operations using composite pattern
// ============================================================================
// PROCESS NAME-BASED OPERATIONS
// ============================================================================
bool Controller::ProtectProcessByName(const std::wstring& processName, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept {
auto match = ResolveNameWithoutDriver(processName);
if (!match) {

25
kvc/ControllerSystemIntegration.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerSystemIntegration.cpp
#include "Controller.h"
#include "common.h"

25
kvc/DefenderManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "DefenderManager.h"
#include <filesystem>
#include <algorithm>

25
kvc/HelpSystem.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include <windows.h>
#include "HelpSystem.h"
#include <iostream>

25
kvc/KeyboardHook.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "KeyboardHook.h"
#include "TrustedInstallerIntegrator.h"
#include "common.h"

36
kvc/Kvc.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "common.h"
#include "Controller.h"
#include "DefenderManager.h"
@@ -395,12 +370,11 @@ int wmain(int argc, wchar_t* argv[])
}
}
// Process termination via kernel driver with batch support
else if (command == L"kill")
{
ProcessManager::HandleKillCommand(argc, argv, g_controller.get());
return 0;
}
// Look for the "kill" command case and replace it with:
else if (command == L"kill") {
ProcessManager::HandleKillCommand(argc, argv, g_controller.get());
return 0;
}
// Process information commands with color-coded protection status output
else if (command == L"list")

25
kvc/KvcDrv.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// KvcDrv.cpp
#include "kvcDrv.h"
#include "common.h"

25
kvc/OffsetFinder.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// OffsetFinder.cpp
#include "OffsetFinder.h"
#include "Utils.h"

73
kvc/ProcessManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ProcessManager.cpp
#include "ProcessManager.h"
#include "Controller.h"
@@ -191,14 +166,25 @@ void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* co
INFO(L"Starting process termination with automatic protection elevation...");
std::vector<DWORD> processIds;
if (!ParseProcessIds(argv[2], processIds)) {
ERROR(L"Failed to parse process ID/name list");
return;
// NEW: Parse comma-separated targets into string vector for advanced pattern matching
// This replaces the old PID-only parsing to support mixed PID/name patterns
std::wstring targets = argv[2];
std::vector<std::wstring> targetList;
// Split input string by comma delimiter with whitespace trimming
std::wstring token;
std::wstringstream ss(targets);
while (std::getline(ss, token, L',')) {
// Trim leading and trailing whitespace from each token
size_t first = token.find_first_not_of(L" \t");
if (first != std::wstring::npos) {
size_t last = token.find_last_not_of(L" \t");
targetList.push_back(token.substr(first, (last - first + 1)));
}
}
if (processIds.empty()) {
ERROR(L"No valid process IDs or names provided");
if (targetList.empty()) {
ERROR(L"No valid process targets provided");
return;
}
@@ -207,24 +193,15 @@ void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* co
return;
}
// Execute termination for each target process with protection elevation
int successCount = 0;
for (DWORD pid : processIds) {
if (g_interrupted) {
INFO(L"Operation cancelled by user during batch termination");
break;
}
if (controller->KillProcess(pid)) {
SUCCESS(L"Terminated PID: %u", pid);
successCount++;
} else {
ERROR(L"Failed to terminate PID: %u", pid);
}
}
// NEW: Use Controller's advanced pattern matching and batch processing
// This handles both PIDs and process name patterns with single driver session
bool result = controller->KillMultipleTargets(targetList);
INFO(L"Kill operation completed: %d/%zu processes terminated",
successCount, processIds.size());
if (result) {
SUCCESS(L"Batch kill operation completed successfully");
} else {
ERROR(L"Batch kill operation failed or partially completed");
}
}
// Parse comma-separated process ID/name list with input validation

25
kvc/ReportExporter.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "ReportExporter.h"
#include "Controller.h"
#include <filesystem>

27
kvc/SelfLoader.cpp
View File

@@ -1,29 +1,4 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// SelfLoader.cpp
// SelfLoader.cpp
#include <windows.h>
#include <algorithm>
#include <cstring>

25
kvc/ServiceManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "ServiceManager.h"
#include "Controller.h"
#include "KeyboardHook.h"

25
kvc/TrustedInstallerIntegrator.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "TrustedInstallerIntegrator.h"
#include "common.h"
#include <tchar.h>

25
kvc/Utils.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// Utils.cpp - Fixed compilation issues with NtQuerySystemInformation
#include "Utils.h"
#include "common.h"

637
kvc/Utils_refactor.cpp Normal file
View File

@@ -0,0 +1,637 @@
//==============================================================================
// Utils.cpp - System utility functions with modern C++ optimizations
// Enhanced performance, robust error handling, low-level system operations
//==============================================================================
#include "Utils.h"
#include "common.h"
#include <windows.h>
#include <tlhelp32.h>
#include <filesystem>
#include <unordered_map>
#include <algorithm>
#include <array>
#include <string_view>
#include <regex>
#include <memory>
namespace fs = std::filesystem;
namespace Utils {
//==============================================================================
// STRING AND NUMERIC PARSING UTILITIES
//==============================================================================
[[nodiscard]] std::optional<DWORD> ParsePid(const std::wstring& pidStr) noexcept
{
if (pidStr.empty()) return std::nullopt;
try {
// Fast path for single digits
if (pidStr.length() == 1 && std::iswdigit(pidStr[0])) {
return static_cast<DWORD>(pidStr[0] - L'0');
}
// Validate all characters are digits before conversion
if (!std::all_of(pidStr.begin(), pidStr.end(),
[](wchar_t c) { return std::iswdigit(c); })) {
return std::nullopt;
}
const unsigned long result = std::wcstoul(pidStr.c_str(), nullptr, 10);
return (result <= MAXDWORD && result != ULONG_MAX) ?
std::make_optional(static_cast<DWORD>(result)) : std::nullopt;
} catch (...) {
return std::nullopt;
}
}
[[nodiscard]] bool IsNumeric(const std::wstring& str) noexcept
{
return !str.empty() &&
std::all_of(str.begin(), str.end(),
[](wchar_t c) { return c >= L'0' && c <= L'9'; });
}
//==============================================================================
// ADVANCED FILE OPERATIONS WITH ROBUST ERROR HANDLING
//==============================================================================
bool ForceDeleteFile(const std::wstring& path) noexcept
{
// Fast path - try normal delete first
if (DeleteFileW(path.c_str())) {
return true;
}
// Remove file attributes that might prevent deletion
const DWORD attrs = GetFileAttributesW(path.c_str());
if (attrs != INVALID_FILE_ATTRIBUTES) {
SetFileAttributesW(path.c_str(), FILE_ATTRIBUTE_NORMAL);
// Retry after attribute removal
if (DeleteFileW(path.c_str())) {
return true;
}
}
// Last resort: schedule deletion after reboot
wchar_t tempPath[MAX_PATH];
if (GetTempPathW(MAX_PATH, tempPath)) {
wchar_t tempFile[MAX_PATH];
if (GetTempFileNameW(tempPath, L"KVC", 0, tempFile)) {
if (MoveFileExW(path.c_str(), tempFile, MOVEFILE_REPLACE_EXISTING)) {
return MoveFileExW(tempFile, nullptr, MOVEFILE_DELAY_UNTIL_REBOOT);
}
}
}
return false;
}
bool WriteFile(const std::wstring& path, const std::vector<BYTE>& data)
{
if (data.empty()) return false;
// Ensure parent directory exists
const fs::path filePath = path;
std::error_code ec;
fs::create_directories(filePath.parent_path(), ec);
// Remove existing file if present
if (fs::exists(filePath)) {
ForceDeleteFile(path);
}
// Create file with appropriate security attributes
const HANDLE hFile = CreateFileW(path.c_str(), GENERIC_WRITE, 0, nullptr,
CREATE_NEW, FILE_ATTRIBUTE_NORMAL, nullptr);
if (hFile == INVALID_HANDLE_VALUE) {
return false;
}
// Write data in chunks for large files - prevents memory issues
constexpr DWORD CHUNK_SIZE = 64 * 1024; // 64KB chunks
DWORD totalWritten = 0;
while (totalWritten < data.size()) {
const DWORD bytesToWrite = std::min(CHUNK_SIZE,
static_cast<DWORD>(data.size() - totalWritten));
DWORD bytesWritten;
if (!::WriteFile(hFile, data.data() + totalWritten, bytesToWrite,
&bytesWritten, nullptr) || bytesWritten != bytesToWrite) {
CloseHandle(hFile);
DeleteFileW(path.c_str()); // Cleanup partial file
return false;
}
totalWritten += bytesWritten;
}
// Ensure data is committed to disk
FlushFileBuffers(hFile);
CloseHandle(hFile);
return true;
}
std::vector<BYTE> ReadFile(const std::wstring& path)
{
const HANDLE hFile = CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ,
nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
if (hFile == INVALID_HANDLE_VALUE) {
return {};
}
LARGE_INTEGER fileSize;
if (!GetFileSizeEx(hFile, &fileSize)) {
CloseHandle(hFile);
return {};
}
// Use memory mapping for files > 64KB - significant performance boost
if (fileSize.QuadPart > 65536) {
const HANDLE hMapping = CreateFileMappingW(hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
if (hMapping) {
void* const pData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (pData) {
std::vector<BYTE> result(static_cast<const BYTE*>(pData),
static_cast<const BYTE*>(pData) + fileSize.QuadPart);
UnmapViewOfFile(pData);
CloseHandle(hMapping);
CloseHandle(hFile);
return result;
}
CloseHandle(hMapping);
}
}
// Fallback to standard read for small files
std::vector<BYTE> buffer(static_cast<size_t>(fileSize.QuadPart));
DWORD bytesRead;
const BOOL success = ::ReadFile(hFile, buffer.data(), static_cast<DWORD>(buffer.size()),
&bytesRead, nullptr);
CloseHandle(hFile);
return (success && bytesRead == buffer.size()) ? std::move(buffer) : std::vector<BYTE>{};
}
//==============================================================================
// RESOURCE EXTRACTION WITH VALIDATION
//==============================================================================
std::vector<BYTE> ReadResource(int resourceId, const wchar_t* resourceType)
{
const HRSRC hRes = FindResource(nullptr, MAKEINTRESOURCE(resourceId), resourceType);
if (!hRes) return {};
const HGLOBAL hData = LoadResource(nullptr, hRes);
if (!hData) return {};
const DWORD dataSize = SizeofResource(nullptr, hRes);
if (dataSize == 0) return {};
void* const pData = LockResource(hData);
if (!pData) return {};
return std::vector<BYTE>(static_cast<const BYTE*>(pData),
static_cast<const BYTE*>(pData) + dataSize);
}
//==============================================================================
// PROCESS NAME RESOLUTION WITH INTELLIGENT CACHING
//==============================================================================
static thread_local std::unordered_map<DWORD, std::wstring> g_processCache;
static thread_local DWORD g_lastCacheUpdate = 0;
[[nodiscard]] std::wstring GetProcessName(DWORD pid) noexcept
{
// Use CreateToolhelp32Snapshot for reliable process enumeration
const HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return L"[Unknown]";
}
PROCESSENTRY32W pe{};
pe.dwSize = sizeof(PROCESSENTRY32W);
if (Process32FirstW(hSnapshot, &pe)) {
do {
if (pe.th32ProcessID == pid) {
CloseHandle(hSnapshot);
return std::wstring(pe.szExeFile);
}
} while (Process32NextW(hSnapshot, &pe));
}
CloseHandle(hSnapshot);
return L"[Unknown]";
}
std::wstring ResolveUnknownProcessLocal(DWORD pid, ULONG_PTR kernelAddress,
UCHAR protectionLevel, UCHAR signerType) noexcept
{
// Cache management - refresh every 30 seconds for performance
const DWORD currentTick = static_cast<DWORD>(GetTickCount64());
if (currentTick - g_lastCacheUpdate > 30000) {
g_processCache.clear();
g_lastCacheUpdate = currentTick;
}
// Check cache first - significant performance improvement
if (const auto cacheIt = g_processCache.find(pid); cacheIt != g_processCache.end()) {
return cacheIt->second;
}
std::wstring processName = L"Unknown";
// Multiple resolution strategies for maximum reliability
if (const HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid)) {
wchar_t imagePath[MAX_PATH] = {};
DWORD bufferSize = MAX_PATH;
// Try QueryFullProcessImageName first - most reliable method
if (QueryFullProcessImageNameW(hProcess, 0, imagePath, &bufferSize)) {
const std::wstring fullPath(imagePath);
const size_t lastSlash = fullPath.find_last_of(L'\\');
processName = (lastSlash != std::wstring::npos) ?
fullPath.substr(lastSlash + 1) : fullPath;
}
CloseHandle(hProcess);
}
// Fallback to snapshot-based resolution
if (processName == L"Unknown") {
processName = GetProcessName(pid);
}
// Cache successful resolutions
if (processName != L"Unknown" && processName != L"[Unknown]") {
g_processCache[pid] = processName;
}
return processName;
}
//==============================================================================
// PROTECTION LEVEL PARSING WITH OPTIMIZED LOOKUP TABLES
//==============================================================================
[[nodiscard]] std::optional<UCHAR> GetProtectionLevelFromString(const std::wstring& protectionLevel) noexcept
{
// Static lookup table - compile-time initialization for optimal performance
static const std::unordered_map<std::wstring, UCHAR> levels = {
{L"none", static_cast<UCHAR>(PS_PROTECTED_TYPE::None)},
{L"ppl", static_cast<UCHAR>(PS_PROTECTED_TYPE::ProtectedLight)},
{L"pp", static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)}
};
if (protectionLevel.empty()) return std::nullopt;
// Single allocation for case conversion
std::wstring lower = protectionLevel;
std::transform(lower.begin(), lower.end(), lower.begin(),
[](wchar_t c) { return std::towlower(c); });
if (const auto it = levels.find(lower); it != levels.end()) {
return it->second;
}
return std::nullopt;
}
[[nodiscard]] std::optional<UCHAR> GetSignerTypeFromString(const std::wstring& signerType) noexcept
{
if (signerType.empty()) return std::nullopt;
// Convert to lowercase for case-insensitive comparison
std::wstring lower = signerType;
std::transform(lower.begin(), lower.end(), lower.begin(),
[](wchar_t c) { return std::towlower(c); });
// Direct string comparisons - fastest for small datasets
if (lower == L"none") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::None);
if (lower == L"authenticode") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::Authenticode);
if (lower == L"codegen") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::CodeGen);
if (lower == L"antimalware") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::Antimalware);
if (lower == L"lsa") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::Lsa);
if (lower == L"windows") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::Windows);
if (lower == L"wintcb") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinTcb);
if (lower == L"winsystem") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinSystem);
if (lower == L"app") return static_cast<UCHAR>(PS_PROTECTED_SIGNER::App);
return std::nullopt;
}
//==============================================================================
// STRING REPRESENTATION FUNCTIONS WITH STATIC STORAGE
//==============================================================================
[[nodiscard]] const wchar_t* GetProtectionLevelAsString(UCHAR protectionLevel) noexcept
{
// Static strings eliminate repeated allocations
static const std::wstring none = L"None";
static const std::wstring ppl = L"PPL";
static const std::wstring pp = L"PP";
static const std::wstring unknown = L"Unknown";
switch (static_cast<PS_PROTECTED_TYPE>(protectionLevel)) {
case PS_PROTECTED_TYPE::None: return none.c_str();
case PS_PROTECTED_TYPE::ProtectedLight: return ppl.c_str();
case PS_PROTECTED_TYPE::Protected: return pp.c_str();
default: return unknown.c_str();
}
}
[[nodiscard]] const wchar_t* GetSignerTypeAsString(UCHAR signerType) noexcept
{
// Jump table approach for maximum performance
static const std::wstring none = L"None";
static const std::wstring authenticode = L"Authenticode";
static const std::wstring codegen = L"CodeGen";
static const std::wstring antimalware = L"Antimalware";
static const std::wstring lsa = L"Lsa";
static const std::wstring windows = L"Windows";
static const std::wstring wintcb = L"WinTcb";
static const std::wstring winsystem = L"WinSystem";
static const std::wstring app = L"App";
static const std::wstring unknown = L"Unknown";
switch (static_cast<PS_PROTECTED_SIGNER>(signerType)) {
case PS_PROTECTED_SIGNER::None: return none.c_str();
case PS_PROTECTED_SIGNER::Authenticode: return authenticode.c_str();
case PS_PROTECTED_SIGNER::CodeGen: return codegen.c_str();
case PS_PROTECTED_SIGNER::Antimalware: return antimalware.c_str();
case PS_PROTECTED_SIGNER::Lsa: return lsa.c_str();
case PS_PROTECTED_SIGNER::Windows: return windows.c_str();
case PS_PROTECTED_SIGNER::WinTcb: return wintcb.c_str();
case PS_PROTECTED_SIGNER::WinSystem: return winsystem.c_str();
case PS_PROTECTED_SIGNER::App: return app.c_str();
default: return unknown.c_str();
}
}
[[nodiscard]] const wchar_t* GetSignatureLevelAsString(UCHAR signatureLevel) noexcept
{
// Static buffer for unknown signature levels - thread-safe
switch (signatureLevel) {
case 0x00: return L"None";
case 0x08: return L"App";
case 0x0c: return L"Standard"; // Standard DLL verification
case 0x1c: return L"System"; // System DLL verification
case 0x1e: return L"Kernel"; // Kernel EXE verification
case 0x3c: return L"Service"; // Windows service EXE
case 0x3e: return L"Critical"; // Critical system EXE
case 0x07:
case 0x37: return L"WinSystem";
default: {
static thread_local wchar_t buf[32];
swprintf_s(buf, L"Unknown (0x%02x)", signatureLevel);
return buf;
}
}
}
//==============================================================================
// PROCESS DUMPABILITY ANALYSIS WITH HEURISTICS
//==============================================================================
[[nodiscard]] ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept
{
ProcessDumpability result{false, L""};
// Known undumpable system processes - hardcoded for performance
static const std::unordered_set<DWORD> undumpablePids = {
4, // System process
188, // Secure System
232, // Registry process
3052 // Memory Compression
};
static const std::unordered_set<std::wstring> undumpableNames = {
L"System",
L"Secure System",
L"Registry",
L"Memory Compression"
};
if (undumpablePids.contains(pid)) {
result.Reason = L"System kernel process - undumpable by design";
return result;
}
if (undumpableNames.contains(processName)) {
result.Reason = L"Critical system process - protected by kernel";
return result;
}
// Additional heuristics for process dumpability
if (processName == L"[Unknown]" || processName.empty()) {
result.Reason = L"Process name unknown - likely kernel process";
return result;
}
// Assume process is dumpable if not in exclusion lists
result.CanDump = true;
result.Reason = L"Process appears dumpable with proper privileges";
return result;
}
//==============================================================================
// HEX STRING PROCESSING UTILITIES
//==============================================================================
[[nodiscard]] bool IsValidHexString(const std::wstring& hexString) noexcept
{
if (hexString.empty() || (hexString.length() % 2) != 0) {
return false;
}
return std::all_of(hexString.begin(), hexString.end(),
[](wchar_t c) {
return (c >= L'0' && c <= L'9') ||
(c >= L'A' && c <= L'F') ||
(c >= L'a' && c <= L'f');
});
}
bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept
{
if (!IsValidHexString(hexString)) {
return false;
}
bytes.clear();
bytes.reserve(hexString.length() / 2);
for (size_t i = 0; i < hexString.length(); i += 2) {
const wchar_t highNibble = hexString[i];
const wchar_t lowNibble = hexString[i + 1];
auto hexToByte = [](wchar_t c) -> BYTE {
if (c >= L'0' && c <= L'9') return static_cast<BYTE>(c - L'0');
if (c >= L'A' && c <= L'F') return static_cast<BYTE>(c - L'A' + 10);
if (c >= L'a' && c <= L'f') return static_cast<BYTE>(c - L'a' + 10);
return 0;
};
const BYTE byte = (hexToByte(highNibble) << 4) | hexToByte(lowNibble);
bytes.push_back(byte);
}
return true;
}
//==============================================================================
// PE BINARY PARSING AND MANIPULATION
//==============================================================================
[[nodiscard]] std::optional<size_t> GetPEFileLength(const std::vector<BYTE>& data, size_t offset) noexcept
{
try {
if (data.size() < offset + 64) return std::nullopt; // Not enough data for DOS header
// Verify DOS signature "MZ"
if (data[offset] != 'M' || data[offset + 1] != 'Z') {
return std::nullopt;
}
// Get PE header offset from DOS header
DWORD pe_offset;
std::memcpy(&pe_offset, &data[offset + 60], sizeof(DWORD));
const size_t pe_header_start = offset + pe_offset;
if (data.size() < pe_header_start + 24) return std::nullopt;
// Verify PE signature "PE\0\0"
if (std::memcmp(&data[pe_header_start], "PE\0\0", 4) != 0) {
return std::nullopt;
}
// Parse COFF header for section count
WORD number_of_sections;
std::memcpy(&number_of_sections, &data[pe_header_start + 6], sizeof(WORD));
if (number_of_sections == 0) return std::nullopt;
// Calculate section table location
WORD optional_header_size;
std::memcpy(&optional_header_size, &data[pe_header_start + 20], sizeof(WORD));
const size_t section_table_offset = pe_header_start + 24 + optional_header_size;
constexpr size_t section_header_size = 40;
if (data.size() < section_table_offset + (number_of_sections * section_header_size)) {
return std::nullopt;
}
// Find the highest file offset + size from all sections
size_t max_end = 0;
for (WORD i = 0; i < number_of_sections; ++i) {
const size_t sh_offset = section_table_offset + (i * section_header_size);
if (data.size() < sh_offset + 24) {
return std::nullopt;
}
DWORD size_of_raw, pointer_to_raw;
std::memcpy(&size_of_raw, &data[sh_offset + 16], sizeof(DWORD));
std::memcpy(&pointer_to_raw, &data[sh_offset + 20], sizeof(DWORD));
if (pointer_to_raw == 0) continue; // Skip sections without raw data
const size_t section_end = pointer_to_raw + size_of_raw;
max_end = std::max(max_end, section_end);
}
if (max_end > 0) {
const size_t header_end = section_table_offset + number_of_sections * section_header_size;
const size_t file_end = std::max(max_end, header_end);
return std::min(file_end, data.size());
}
return std::nullopt;
} catch (...) {
return std::nullopt;
}
}
bool SplitCombinedPE(const std::vector<BYTE>& combined,
std::vector<BYTE>& first,
std::vector<BYTE>& second) noexcept
{
try {
if (combined.empty()) return false;
// Determine exact size of first PE file
const auto first_size = GetPEFileLength(combined, 0);
if (!first_size || *first_size <= 0 || *first_size >= combined.size()) {
// Fallback: search for next "MZ" signature
constexpr size_t search_start = 0x200;
const size_t search_offset = (combined.size() > search_start) ? search_start : 0;
for (size_t i = search_offset; i < combined.size() - 1; ++i) {
if (combined[i] == 'M' && combined[i + 1] == 'Z') {
// Found potential second PE
first.assign(combined.begin(), combined.begin() + i);
second.assign(combined.begin() + i, combined.end());
return !first.empty() && !second.empty();
}
}
return false;
}
// Split at calculated boundary
const size_t split_point = *first_size;
if (split_point >= combined.size()) return false;
first.assign(combined.begin(), combined.begin() + split_point);
second.assign(combined.begin() + split_point, combined.end());
return !first.empty() && !second.empty();
} catch (...) {
return false;
}
}
//==============================================================================
// XOR DECRYPTION UTILITY
//==============================================================================
[[nodiscard]] std::vector<BYTE> DecryptXOR(const std::vector<BYTE>& encryptedData,
const std::array<BYTE, 7>& key) noexcept
{
if (encryptedData.empty()) return {};
std::vector<BYTE> decrypted;
decrypted.reserve(encryptedData.size());
for (size_t i = 0; i < encryptedData.size(); ++i) {
const BYTE decrypted_byte = encryptedData[i] ^ key[i % key.size()];
decrypted.push_back(decrypted_byte);
}
return decrypted;
}
//==============================================================================
// KERNEL ADDRESS UTILITIES
//==============================================================================
[[nodiscard]] std::optional<ULONG_PTR> GetKernelBaseAddress() noexcept
{
// Implementation depends on kernel driver communication
// This is a placeholder for the actual kernel base address retrieval
return std::nullopt;
}
} // namespace Utils

25
kvc/common.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// common.cpp - Core system utilities and dynamic API management
// Implements service management, system path resolution, and Windows API abstraction

25
kvc/kvc_crypt.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// kvc_crypt.cpp
#include <Windows.h>
#include <ShlObj.h>

25
kvc/syscalls.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// syscalls.cpp
#include "syscalls.h"
#include <vector>