diff --git a/kvc/BrowserOrchestrator.cpp b/kvc/BrowserOrchestrator.cpp index 357e2ac..00a9c82 100644 --- a/kvc/BrowserOrchestrator.cpp +++ b/kvc/BrowserOrchestrator.cpp @@ -1,29 +1,4 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - -// BrowserOrchestrator.cpp +// BrowserOrchestrator.cpp #include #include #include diff --git a/kvc/Controller.h b/kvc/Controller.h index 8c62ae1..13346a1 100644 --- a/kvc/Controller.h +++ b/kvc/Controller.h @@ -7,6 +7,8 @@ #include #include #include +#include +#include class ReportExporter; @@ -103,6 +105,9 @@ public: bool UnprotectAllProcesses() noexcept; bool UnprotectMultipleProcesses(const std::vector& targets) noexcept; + + bool KillMultipleProcesses(const std::vector& pids) noexcept; + bool KillMultipleTargets(const std::vector& targets) noexcept; // Process termination with driver support bool KillProcess(DWORD pid) noexcept; @@ -189,6 +194,29 @@ private: // Silent driver installation bool InstallDriverSilently() noexcept; bool RegisterDriverServiceSilent(const std::wstring& driverPath) noexcept; + + // Driver session management + bool m_driverSessionActive = false; + std::chrono::steady_clock::time_point m_lastDriverUsage; + + // Session management + bool BeginDriverSession(); + void EndDriverSession(bool force = false); + void UpdateDriverUsageTimestamp(); + + // Cache management + void RefreshKernelAddressCache(); + std::optional GetCachedKernelAddress(DWORD pid); + + // Internal kill method for batch operations + bool KillProcessInternal(DWORD pid, bool batchOperation = false) noexcept; + + // Kernel address cache for processes + std::unordered_map m_kernelAddressCache; + std::chrono::steady_clock::time_point m_cacheTimestamp; + + // Process list cache + std::vector m_cachedProcessList; // Internal kernel process management (implementation details) std::optional GetInitialSystemProcessAddress() noexcept; diff --git a/kvc/ControllerBinaryManager.cpp b/kvc/ControllerBinaryManager.cpp index f4eeec6..ae3673e 100644 --- a/kvc/ControllerBinaryManager.cpp +++ b/kvc/ControllerBinaryManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerBinaryManager.cpp - Fixed compilation issues #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerCore.cpp b/kvc/ControllerCore.cpp index c3a5a9e..81232b5 100644 --- a/kvc/ControllerCore.cpp +++ b/kvc/ControllerCore.cpp @@ -1,33 +1,9 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerCore.cpp #include "Controller.h" #include "common.h" -#include #include "resource.h" +#include +#include extern volatile bool g_interrupted; @@ -130,6 +106,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept { bool Controller::EnsureDriverAvailable() noexcept { // Phase 1: Check if the driver is already available (without testing) ForceRemoveService(); + Sleep(200); if (IsDriverCurrentlyLoaded()) { return true; } diff --git a/kvc/ControllerDriverManager.cpp b/kvc/ControllerDriverManager.cpp index db837d3..eaa82fb 100644 --- a/kvc/ControllerDriverManager.cpp +++ b/kvc/ControllerDriverManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerDriverManager.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerEventLogOperations.cpp b/kvc/ControllerEventLogOperations.cpp index 6e444c6..cce7e6e 100644 --- a/kvc/ControllerEventLogOperations.cpp +++ b/kvc/ControllerEventLogOperations.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerMemoryOperations.cpp b/kvc/ControllerMemoryOperations.cpp index 4d515a1..b1159e4 100644 --- a/kvc/ControllerMemoryOperations.cpp +++ b/kvc/ControllerMemoryOperations.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerMemoryOperations.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerPasswordManager.cpp b/kvc/ControllerPasswordManager.cpp index cd1a720..00ae8ca 100644 --- a/kvc/ControllerPasswordManager.cpp +++ b/kvc/ControllerPasswordManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "Controller.h" #include "ReportExporter.h" #include "common.h" diff --git a/kvc/ControllerProcessOperations.cpp b/kvc/ControllerProcessOperations.cpp index 14edb2f..3e45579 100644 --- a/kvc/ControllerProcessOperations.cpp +++ b/kvc/ControllerProcessOperations.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerProcessOperations.cpp #include "Controller.h" #include "common.h" @@ -34,52 +9,209 @@ that define these protections. extern volatile bool g_interrupted; -// Process termination with protection elevation and fallback mechanisms -bool Controller::KillProcess(DWORD pid) noexcept -{ - // Try to get kernel address first - if driver already initialized, reuse it - auto kernelAddr = GetProcessKernelAddress(pid); - - bool needsCleanup = false; - - // Only initialize driver if not already loaded AND we couldn't get kernel address - if (!kernelAddr && !IsDriverCurrentlyLoaded()) { - if (!PerformAtomicInitWithErrorCleanup()) { - return false; - } - needsCleanup = true; - - // Try again after driver initialization - kernelAddr = GetProcessKernelAddress(pid); - } - - // If we still can't get kernel address, try direct termination without protection elevation - if (!kernelAddr) { - INFO(L"Could not get kernel address for target process, proceeding without self-protection"); - - HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid); - if (!hProcess) { - DWORD error = GetLastError(); - ERROR(L"Failed to open process for termination (error: %d)", error); - if (needsCleanup) PerformAtomicCleanup(); - return false; - } - - BOOL terminated = TerminateProcess(hProcess, 1); - DWORD error = GetLastError(); - CloseHandle(hProcess); - - if (terminated) { - SUCCESS(L"Successfully terminated PID: %d (direct method)", pid); - if (needsCleanup) PerformAtomicCleanup(); - return true; - } else { - ERROR(L"Failed to terminate process directly (error: %d)", error); - if (needsCleanup) PerformAtomicCleanup(); - return false; - } - } +// ============================================================================ +// SESSION MANAGEMENT IMPLEMENTATION +// ============================================================================ +bool Controller::BeginDriverSession() { + // If driver is already active and used recently, keep it active + if (m_driverSessionActive) { + auto timeSinceLastUse = std::chrono::steady_clock::now() - m_lastDriverUsage; + if (timeSinceLastUse < std::chrono::seconds(5)) { + UpdateDriverUsageTimestamp(); + DEBUG(L"Reusing active driver session"); + return true; + } + } + + // Initialize driver component + if (!EnsureDriverAvailable()) { + ERROR(L"Failed to load driver for session"); + return false; + } + + m_driverSessionActive = true; + UpdateDriverUsageTimestamp(); + DEBUG(L"Driver session started successfully"); + return true; +} + +void Controller::EndDriverSession(bool force) { + if (!m_driverSessionActive) return; + + // Don't end session immediately if not forced - keep it alive for potential reuse + if (!force) { + auto timeSinceLastUse = std::chrono::steady_clock::now() - m_lastDriverUsage; + if (timeSinceLastUse < std::chrono::seconds(10)) { + DEBUG(L"Keeping driver session active for potential reuse"); + return; // Keep session alive + } + } + + // Force cleanup + DEBUG(L"Ending driver session (force: %s)", force ? L"true" : L"false"); + PerformAtomicCleanup(); + m_driverSessionActive = false; + m_kernelAddressCache.clear(); + m_cachedProcessList.clear(); +} + +void Controller::UpdateDriverUsageTimestamp() { + m_lastDriverUsage = std::chrono::steady_clock::now(); +} + +void Controller::RefreshKernelAddressCache() { + DEBUG(L"Refreshing kernel address cache"); + auto processes = GetProcessList(); + m_kernelAddressCache.clear(); + + for (const auto& entry : processes) { + m_kernelAddressCache[entry.Pid] = entry.KernelAddress; + } + + m_cacheTimestamp = std::chrono::steady_clock::now(); + DEBUG(L"Kernel address cache refreshed with %d entries", m_kernelAddressCache.size()); +} + +std::optional Controller::GetCachedKernelAddress(DWORD pid) { + // Refresh cache if it's older than 30 seconds or empty + auto now = std::chrono::steady_clock::now(); + if (m_kernelAddressCache.empty() || + (now - m_cacheTimestamp) > std::chrono::seconds(30)) { + RefreshKernelAddressCache(); + } + + auto it = m_kernelAddressCache.find(pid); + if (it != m_kernelAddressCache.end()) { + DEBUG(L"Found cached kernel address for PID %d: 0x%llx", pid, it->second); + return it->second; + } + + // PID not in cache, try to find it manually + DEBUG(L"PID %d not in cache, searching manually", pid); + auto processes = GetProcessList(); + for (const auto& entry : processes) { + if (entry.Pid == pid) { + m_kernelAddressCache[pid] = entry.KernelAddress; + DEBUG(L"Added PID %d to kernel address cache: 0x%llx", pid, entry.KernelAddress); + return entry.KernelAddress; + } + } + + ERROR(L"PID %d not found in process list", pid); + return std::nullopt; +} + +// ============================================================================ +// PROCESS TERMINATION OPERATIONS +// ============================================================================ + +bool Controller::KillProcess(DWORD pid) noexcept { + bool result = KillProcessInternal(pid, false); + EndDriverSession(true); // Force cleanup for single operations + return result; +} + +bool Controller::KillMultipleProcesses(const std::vector& pids) noexcept { + if (pids.empty()) { + ERROR(L"No PIDs provided for batch operation"); + return false; + } + + if (!BeginDriverSession()) { + ERROR(L"Failed to start driver session for batch operation"); + return false; + } + + INFO(L"Starting batch kill operation for %d processes", pids.size()); + + DWORD successCount = 0; + for (DWORD pid : pids) { + INFO(L"Processing PID %d", pid); + + if (KillProcessInternal(pid, true)) { + successCount++; + SUCCESS(L"Successfully terminated PID %d", pid); + } else { + ERROR(L"Failed to terminate PID %d", pid); + } + + if (g_interrupted) { + INFO(L"Batch operation interrupted by user"); + break; + } + } + + EndDriverSession(false); // End session after batch operation + INFO(L"Batch operation completed: %d/%d processes terminated", successCount, pids.size()); + + return successCount > 0; +} + +bool Controller::KillMultipleTargets(const std::vector& targets) noexcept { + if (targets.empty()) return false; + + if (!BeginDriverSession()) return false; + + std::vector allPids; + + for (const auto& target : targets) { + if (Utils::IsNumeric(target)) { + auto pid = Utils::ParsePid(target); + if (pid) allPids.push_back(pid.value()); + } else { + auto matches = FindProcessesByName(target); + for (const auto& match : matches) { + allPids.push_back(match.Pid); + } + } + } + + if (allPids.empty()) { + ERROR(L"No processes found matching the specified targets"); + EndDriverSession(false); + return false; + } + + INFO(L"Starting batch kill operation for %d resolved processes", allPids.size()); + + DWORD successCount = 0; + for (DWORD pid : allPids) { + INFO(L"Processing PID %d", pid); + + if (KillProcessInternal(pid, true)) { + successCount++; + SUCCESS(L"Successfully terminated PID %d", pid); + } else { + ERROR(L"Failed to terminate PID %d", pid); + } + + if (g_interrupted) { + INFO(L"Batch operation interrupted by user"); + break; + } + } + + // Always force cleanup for command-line operation + EndDriverSession(true); + INFO(L"Kill operation completed: %d/%d processes terminated", successCount, allPids.size()); + return successCount > 0; + } + +bool Controller::KillProcessInternal(DWORD pid, bool batchOperation) noexcept { + // Only start session if not batch operation (batch already started session) + if (!batchOperation && !BeginDriverSession()) { + ERROR(L"Failed to start driver session for PID %d", pid); + return false; + } + + // Use cached kernel address if available + auto kernelAddr = GetCachedKernelAddress(pid); + if (!kernelAddr) { + ERROR(L"Failed to get kernel address for PID %d", pid); + return false; + } + // Get target process protection level for elevation auto targetProtection = GetProcessProtection(kernelAddr.value()); if (targetProtection && targetProtection.value() > 0) { @@ -111,7 +243,6 @@ bool Controller::KillProcess(DWORD pid) noexcept hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (!hProcess) { ERROR(L"Failed to open process with extended privileges (error: %d)", GetLastError()); - if (needsCleanup) PerformAtomicCleanup(); return false; } } @@ -122,19 +253,15 @@ bool Controller::KillProcess(DWORD pid) noexcept if (terminated) { SUCCESS(L"Successfully terminated PID: %d", pid); - if (needsCleanup) PerformAtomicCleanup(); return true; } else { ERROR(L"Failed to terminate PID: %d (error: %d)", pid, terminationError); - if (needsCleanup) PerformAtomicCleanup(); return false; } } -// Optimized batch process termination with shared driver state -bool Controller::KillProcessByName(const std::wstring& processName) noexcept -{ - if (!PerformAtomicInitWithErrorCleanup()) { +bool Controller::KillProcessByName(const std::wstring& processName) noexcept { + if (!BeginDriverSession()) { return false; } @@ -142,7 +269,7 @@ bool Controller::KillProcessByName(const std::wstring& processName) noexcept if (matches.empty()) { ERROR(L"No process found matching pattern: %s", processName.c_str()); - PerformAtomicCleanup(); + EndDriverSession(true); return false; } @@ -155,59 +282,30 @@ bool Controller::KillProcessByName(const std::wstring& processName) noexcept INFO(L"Attempting to terminate process: %s (PID %d)", match.ProcessName.c_str(), match.Pid); - // Use direct kernel address since we already have it from FindProcessesByName - auto targetProtection = GetProcessProtection(match.KernelAddress); - if (targetProtection && targetProtection.value() > 0) { - UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value()); - UCHAR targetSigner = Utils::GetSignerType(targetProtection.value()); - - std::wstring levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? - L"PP" : L"PPL"; - - INFO(L"Target process has %s-%s protection, elevating current process", - levelStr.c_str(), - Utils::GetSignerTypeAsString(targetSigner)); - - // Elevate current process protection to match or exceed target - UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner); - if (!SetCurrentProcessProtection(currentProcessProtection)) { - ERROR(L"Failed to elevate current process protection"); - // Continue anyway - might still work - } - } - - // Attempt termination with fallback approach - HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, match.Pid); - if (!hProcess) { - DWORD error = GetLastError(); - INFO(L"Failed to open with PROCESS_TERMINATE (error: %d), trying PROCESS_ALL_ACCESS", error); - - hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, match.Pid); - if (!hProcess) { - ERROR(L"Failed to open process with any privileges (error: %d)", GetLastError()); - continue; - } - } - - BOOL terminated = TerminateProcess(hProcess, 1); - DWORD terminationError = GetLastError(); - CloseHandle(hProcess); - - if (terminated) { + // Use the internal kill method with batch operation flag + if (KillProcessInternal(match.Pid, true)) { SUCCESS(L"Successfully terminated: %s (PID %d)", match.ProcessName.c_str(), match.Pid); successCount++; } else { - ERROR(L"Failed to terminate PID: %d (error: %d)", match.Pid, terminationError); + ERROR(L"Failed to terminate PID: %d", match.Pid); + } + + if (g_interrupted) { + INFO(L"Process termination interrupted by user"); + break; } } + EndDriverSession(true); INFO(L"Kill operation completed: %d/%d processes terminated", successCount, totalCount); - PerformAtomicCleanup(); return successCount > 0; } -// Kernel process operations with interruption handling +// ============================================================================ +// KERNEL PROCESS OPERATIONS +// ============================================================================ + std::optional Controller::GetInitialSystemProcessAddress() noexcept { auto kernelBase = Utils::GetKernelBaseAddress(); if (!kernelBase) return std::nullopt; @@ -226,11 +324,10 @@ std::optional Controller::GetProcessKernelAddress(DWORD pid) noexcept return entry.KernelAddress; } - INFO(L"Kernel address not available for PID %d, initializing driver...", pid); + DEBUG(L"Kernel address not available for PID %d", pid); return std::nullopt; } -// Process enumeration with comprehensive interruption support std::vector Controller::GetProcessList() noexcept { std::vector processes; @@ -346,9 +443,12 @@ bool Controller::SetProcessProtection(ULONG_PTR addr, UCHAR protection) noexcept return m_rtc->Write8(addr + offset.value(), protection); } -// Process name resolution with atomic driver operations +// ============================================================================ +// PROCESS NAME RESOLUTION +// ============================================================================ + std::optional Controller::ResolveProcessName(const std::wstring& processName) noexcept { - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return std::nullopt; } @@ -356,13 +456,13 @@ std::optional Controller::ResolveProcessName(const std::wstring& p if (matches.empty()) { ERROR(L"No process found matching pattern: %s", processName.c_str()); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return std::nullopt; } if (matches.size() == 1) { INFO(L"Found process: %s (PID %d)", matches[0].ProcessName.c_str(), matches[0].Pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return matches[0]; } @@ -371,7 +471,7 @@ std::optional Controller::ResolveProcessName(const std::wstring& p std::wcout << L" PID " << match.Pid << L": " << match.ProcessName << L"\n"; } - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return std::nullopt; } @@ -392,7 +492,10 @@ std::vector Controller::FindProcessesByName(const std::wstring& pa return matches; } -// Driver-free process name resolution for lightweight operations +// ============================================================================ +// DRIVER-FREE PROCESS OPERATIONS +// ============================================================================ + std::optional Controller::ResolveNameWithoutDriver(const std::wstring& processName) noexcept { auto matches = FindProcessesByNameWithoutDriver(processName); @@ -443,7 +546,10 @@ std::vector Controller::FindProcessesByNameWithoutDriver(const std return matches; } -// Advanced pattern matching with regex support +// ============================================================================ +// PATTERN MATCHING +// ============================================================================ + bool Controller::IsPatternMatch(const std::wstring& processName, const std::wstring& pattern) noexcept { std::wstring lowerProcessName = processName; std::wstring lowerPattern = pattern; @@ -481,30 +587,26 @@ bool Controller::IsPatternMatch(const std::wstring& processName, const std::wstr } } -// Process information retrieval with atomic operations +// ============================================================================ +// PROCESS INFORMATION OPERATIONS +// ============================================================================ + bool Controller::GetProcessProtection(DWORD pid) noexcept { - bool driverWasLoaded = IsDriverCurrentlyLoaded(); - bool needsCleanup = false; - - // Only initialize driver if not already loaded - if (!driverWasLoaded) { - if (!PerformAtomicInitWithErrorCleanup()) { - return false; - } - needsCleanup = true; + if (!BeginDriverSession()) { + return false; } auto kernelAddr = GetProcessKernelAddress(pid); if (!kernelAddr) { ERROR(L"Failed to get kernel address for PID %d", pid); - if (needsCleanup) PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } auto currentProtection = GetProcessProtection(kernelAddr.value()); if (!currentProtection) { ERROR(L"Failed to read protection for PID %d", pid); - if (needsCleanup) PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } @@ -522,10 +624,7 @@ bool Controller::GetProcessProtection(DWORD pid) noexcept { currentProtection.value()); } - if (needsCleanup) { - PerformAtomicCleanup(); - } - + EndDriverSession(true); // Force cleanup return true; } @@ -538,9 +637,12 @@ bool Controller::GetProcessProtectionByName(const std::wstring& processName) noe return GetProcessProtection(match->Pid); } -// Enhanced protected process listing with color visualization +// ============================================================================ +// PROTECTED PROCESS LISTING +// ============================================================================ + bool Controller::ListProtectedProcesses() noexcept { - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return false; } @@ -611,69 +713,68 @@ bool Controller::ListProtectedProcesses() noexcept { SUCCESS(L"Enumerated %d protected processes", count); - PerformAtomicCleanup(); - + EndDriverSession(true); // Force cleanup return true; } -// Process protection manipulation with atomic operations -bool Controller::UnprotectProcess(DWORD pid) noexcept -{ - if (!PerformAtomicInitWithErrorCleanup()) { +// ============================================================================ +// PROCESS PROTECTION MANIPULATION +// ============================================================================ + +bool Controller::UnprotectProcess(DWORD pid) noexcept { + if (!BeginDriverSession()) { return false; } - auto kernelAddr = GetProcessKernelAddress(pid); + auto kernelAddr = GetCachedKernelAddress(pid); if (!kernelAddr) { - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } auto currentProtection = GetProcessProtection(kernelAddr.value()); if (!currentProtection) { - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } if (currentProtection.value() == 0) { ERROR(L"PID %d is not protected", pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } if (!SetProcessProtection(kernelAddr.value(), 0)) { ERROR(L"Failed to remove protection from PID %d", pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } SUCCESS(L"Removed protection from PID %d", pid); - - PerformAtomicCleanup(); - + EndDriverSession(true); // Force cleanup return true; } bool Controller::ProtectProcess(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept { - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return false; } - auto kernelAddr = GetProcessKernelAddress(pid); + auto kernelAddr = GetCachedKernelAddress(pid); if (!kernelAddr) { - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } auto currentProtection = GetProcessProtection(kernelAddr.value()); if (!currentProtection) { - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } if (currentProtection.value() > 0) { ERROR(L"PID %d is already protected", pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } @@ -682,26 +783,24 @@ bool Controller::ProtectProcess(DWORD pid, const std::wstring& protectionLevel, if (!level || !signer) { ERROR(L"Invalid protection level or signer type"); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } UCHAR newProtection = Utils::GetProtection(level.value(), signer.value()); if (!SetProcessProtection(kernelAddr.value(), newProtection)) { ERROR(L"Failed to protect PID %d", pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } SUCCESS(L"Protected PID %d with %s-%s", pid, protectionLevel.c_str(), signerType.c_str()); - - PerformAtomicCleanup(); - + EndDriverSession(true); // Force cleanup return true; } bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept { - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return false; } @@ -710,13 +809,13 @@ bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionL if (!level || !signer) { ERROR(L"Invalid protection level or signer type"); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } - auto kernelAddr = GetProcessKernelAddress(pid); + auto kernelAddr = GetCachedKernelAddress(pid); if (!kernelAddr) { - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } @@ -724,20 +823,21 @@ bool Controller::SetProcessProtection(DWORD pid, const std::wstring& protectionL if (!SetProcessProtection(kernelAddr.value(), newProtection)) { ERROR(L"Failed to set protection on PID %d", pid); - PerformAtomicCleanup(); + EndDriverSession(true); // Force cleanup return false; } SUCCESS(L"Set protection %s-%s on PID %d", protectionLevel.c_str(), signerType.c_str(), pid); - - PerformAtomicCleanup(); - + EndDriverSession(true); // Force cleanup return true; } -// Mass protection removal operations +// ============================================================================ +// MASS PROTECTION OPERATIONS +// ============================================================================ + bool Controller::UnprotectAllProcesses() noexcept { - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return false; } @@ -757,6 +857,11 @@ bool Controller::UnprotectAllProcesses() noexcept { } else { ERROR(L"Failed to remove protection from PID %d (%s)", entry.Pid, entry.ProcessName.c_str()); } + + if (g_interrupted) { + INFO(L"Mass unprotection interrupted by user"); + break; + } } } @@ -766,8 +871,7 @@ bool Controller::UnprotectAllProcesses() noexcept { INFO(L"Mass unprotection completed: %d/%d processes successfully unprotected", successCount, totalCount); } - PerformAtomicCleanup(); - + EndDriverSession(false); return successCount == totalCount; } @@ -777,7 +881,7 @@ bool Controller::UnprotectMultipleProcesses(const std::vector& tar return false; } - if (!PerformAtomicInitWithErrorCleanup()) { + if (!BeginDriverSession()) { return false; } @@ -793,7 +897,7 @@ bool Controller::UnprotectMultipleProcesses(const std::vector& tar if (Utils::IsNumeric(target)) { auto pid = Utils::ParsePid(target); if (pid) { - auto kernelAddr = GetProcessKernelAddress(pid.value()); + auto kernelAddr = GetCachedKernelAddress(pid.value()); if (kernelAddr) { auto currentProtection = GetProcessProtection(kernelAddr.value()); if (currentProtection && currentProtection.value() > 0) { @@ -838,12 +942,15 @@ bool Controller::UnprotectMultipleProcesses(const std::vector& tar INFO(L"Batch unprotection completed: %d/%d targets successfully processed", successCount, totalCount); - PerformAtomicCleanup(); + EndDriverSession(false); return successCount == totalCount; } -// Process name-based operations using composite pattern +// ============================================================================ +// PROCESS NAME-BASED OPERATIONS +// ============================================================================ + bool Controller::ProtectProcessByName(const std::wstring& processName, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept { auto match = ResolveNameWithoutDriver(processName); if (!match) { diff --git a/kvc/ControllerSystemIntegration.cpp b/kvc/ControllerSystemIntegration.cpp index cab2b1a..5a9bc78 100644 --- a/kvc/ControllerSystemIntegration.cpp +++ b/kvc/ControllerSystemIntegration.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerSystemIntegration.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/DefenderManager.cpp b/kvc/DefenderManager.cpp index df8b8c5..e7eebd0 100644 --- a/kvc/DefenderManager.cpp +++ b/kvc/DefenderManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "DefenderManager.h" #include #include diff --git a/kvc/HelpSystem.cpp b/kvc/HelpSystem.cpp index 536d1b8..c8ca989 100644 --- a/kvc/HelpSystem.cpp +++ b/kvc/HelpSystem.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include #include "HelpSystem.h" #include diff --git a/kvc/KeyboardHook.cpp b/kvc/KeyboardHook.cpp index 9e5cc1d..ea0c4d3 100644 --- a/kvc/KeyboardHook.cpp +++ b/kvc/KeyboardHook.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "KeyboardHook.h" #include "TrustedInstallerIntegrator.h" #include "common.h" diff --git a/kvc/Kvc.cpp b/kvc/Kvc.cpp index 3f59eff..2d18081 100644 --- a/kvc/Kvc.cpp +++ b/kvc/Kvc.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "common.h" #include "Controller.h" #include "DefenderManager.h" @@ -395,12 +370,11 @@ int wmain(int argc, wchar_t* argv[]) } } - // Process termination via kernel driver with batch support - else if (command == L"kill") - { - ProcessManager::HandleKillCommand(argc, argv, g_controller.get()); - return 0; - } + // Look for the "kill" command case and replace it with: + else if (command == L"kill") { + ProcessManager::HandleKillCommand(argc, argv, g_controller.get()); + return 0; + } // Process information commands with color-coded protection status output else if (command == L"list") diff --git a/kvc/KvcDrv.cpp b/kvc/KvcDrv.cpp index b5c6c65..23c724b 100644 --- a/kvc/KvcDrv.cpp +++ b/kvc/KvcDrv.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // KvcDrv.cpp #include "kvcDrv.h" #include "common.h" diff --git a/kvc/OffsetFinder.cpp b/kvc/OffsetFinder.cpp index 81fea02..5c6e7f7 100644 --- a/kvc/OffsetFinder.cpp +++ b/kvc/OffsetFinder.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // OffsetFinder.cpp #include "OffsetFinder.h" #include "Utils.h" diff --git a/kvc/ProcessManager.cpp b/kvc/ProcessManager.cpp index 4e5454b..1a08092 100644 --- a/kvc/ProcessManager.cpp +++ b/kvc/ProcessManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ProcessManager.cpp #include "ProcessManager.h" #include "Controller.h" @@ -191,14 +166,25 @@ void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* co INFO(L"Starting process termination with automatic protection elevation..."); - std::vector processIds; - if (!ParseProcessIds(argv[2], processIds)) { - ERROR(L"Failed to parse process ID/name list"); - return; + // NEW: Parse comma-separated targets into string vector for advanced pattern matching + // This replaces the old PID-only parsing to support mixed PID/name patterns + std::wstring targets = argv[2]; + std::vector targetList; + + // Split input string by comma delimiter with whitespace trimming + std::wstring token; + std::wstringstream ss(targets); + while (std::getline(ss, token, L',')) { + // Trim leading and trailing whitespace from each token + size_t first = token.find_first_not_of(L" \t"); + if (first != std::wstring::npos) { + size_t last = token.find_last_not_of(L" \t"); + targetList.push_back(token.substr(first, (last - first + 1))); + } } - if (processIds.empty()) { - ERROR(L"No valid process IDs or names provided"); + if (targetList.empty()) { + ERROR(L"No valid process targets provided"); return; } @@ -207,24 +193,15 @@ void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* co return; } - // Execute termination for each target process with protection elevation - int successCount = 0; - for (DWORD pid : processIds) { - if (g_interrupted) { - INFO(L"Operation cancelled by user during batch termination"); - break; - } - - if (controller->KillProcess(pid)) { - SUCCESS(L"Terminated PID: %u", pid); - successCount++; - } else { - ERROR(L"Failed to terminate PID: %u", pid); - } - } + // NEW: Use Controller's advanced pattern matching and batch processing + // This handles both PIDs and process name patterns with single driver session + bool result = controller->KillMultipleTargets(targetList); - INFO(L"Kill operation completed: %d/%zu processes terminated", - successCount, processIds.size()); + if (result) { + SUCCESS(L"Batch kill operation completed successfully"); + } else { + ERROR(L"Batch kill operation failed or partially completed"); + } } // Parse comma-separated process ID/name list with input validation diff --git a/kvc/ReportExporter.cpp b/kvc/ReportExporter.cpp index 7fc6ebc..bc2a8c4 100644 --- a/kvc/ReportExporter.cpp +++ b/kvc/ReportExporter.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "ReportExporter.h" #include "Controller.h" #include diff --git a/kvc/SelfLoader.cpp b/kvc/SelfLoader.cpp index 2fee2ef..a9c02f5 100644 --- a/kvc/SelfLoader.cpp +++ b/kvc/SelfLoader.cpp @@ -1,29 +1,4 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - -// SelfLoader.cpp +// SelfLoader.cpp #include #include #include diff --git a/kvc/ServiceManager.cpp b/kvc/ServiceManager.cpp index f6bff84..22afd23 100644 --- a/kvc/ServiceManager.cpp +++ b/kvc/ServiceManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "ServiceManager.h" #include "Controller.h" #include "KeyboardHook.h" diff --git a/kvc/TrustedInstallerIntegrator.cpp b/kvc/TrustedInstallerIntegrator.cpp index 16abdbe..4db504f 100644 --- a/kvc/TrustedInstallerIntegrator.cpp +++ b/kvc/TrustedInstallerIntegrator.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "TrustedInstallerIntegrator.h" #include "common.h" #include diff --git a/kvc/Utils.cpp b/kvc/Utils.cpp index 6a43095..aac9ab7 100644 --- a/kvc/Utils.cpp +++ b/kvc/Utils.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // Utils.cpp - Fixed compilation issues with NtQuerySystemInformation #include "Utils.h" #include "common.h" diff --git a/kvc/Utils_refactor.cpp b/kvc/Utils_refactor.cpp new file mode 100644 index 0000000..0608b1d --- /dev/null +++ b/kvc/Utils_refactor.cpp @@ -0,0 +1,637 @@ +//============================================================================== +// Utils.cpp - System utility functions with modern C++ optimizations +// Enhanced performance, robust error handling, low-level system operations +//============================================================================== + +#include "Utils.h" +#include "common.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + +namespace fs = std::filesystem; + +namespace Utils { + +//============================================================================== +// STRING AND NUMERIC PARSING UTILITIES +//============================================================================== + +[[nodiscard]] std::optional ParsePid(const std::wstring& pidStr) noexcept +{ + if (pidStr.empty()) return std::nullopt; + + try { + // Fast path for single digits + if (pidStr.length() == 1 && std::iswdigit(pidStr[0])) { + return static_cast(pidStr[0] - L'0'); + } + + // Validate all characters are digits before conversion + if (!std::all_of(pidStr.begin(), pidStr.end(), + [](wchar_t c) { return std::iswdigit(c); })) { + return std::nullopt; + } + + const unsigned long result = std::wcstoul(pidStr.c_str(), nullptr, 10); + return (result <= MAXDWORD && result != ULONG_MAX) ? + std::make_optional(static_cast(result)) : std::nullopt; + + } catch (...) { + return std::nullopt; + } +} + +[[nodiscard]] bool IsNumeric(const std::wstring& str) noexcept +{ + return !str.empty() && + std::all_of(str.begin(), str.end(), + [](wchar_t c) { return c >= L'0' && c <= L'9'; }); +} + +//============================================================================== +// ADVANCED FILE OPERATIONS WITH ROBUST ERROR HANDLING +//============================================================================== + +bool ForceDeleteFile(const std::wstring& path) noexcept +{ + // Fast path - try normal delete first + if (DeleteFileW(path.c_str())) { + return true; + } + + // Remove file attributes that might prevent deletion + const DWORD attrs = GetFileAttributesW(path.c_str()); + if (attrs != INVALID_FILE_ATTRIBUTES) { + SetFileAttributesW(path.c_str(), FILE_ATTRIBUTE_NORMAL); + + // Retry after attribute removal + if (DeleteFileW(path.c_str())) { + return true; + } + } + + // Last resort: schedule deletion after reboot + wchar_t tempPath[MAX_PATH]; + if (GetTempPathW(MAX_PATH, tempPath)) { + wchar_t tempFile[MAX_PATH]; + if (GetTempFileNameW(tempPath, L"KVC", 0, tempFile)) { + if (MoveFileExW(path.c_str(), tempFile, MOVEFILE_REPLACE_EXISTING)) { + return MoveFileExW(tempFile, nullptr, MOVEFILE_DELAY_UNTIL_REBOOT); + } + } + } + + return false; +} + +bool WriteFile(const std::wstring& path, const std::vector& data) +{ + if (data.empty()) return false; + + // Ensure parent directory exists + const fs::path filePath = path; + std::error_code ec; + fs::create_directories(filePath.parent_path(), ec); + + // Remove existing file if present + if (fs::exists(filePath)) { + ForceDeleteFile(path); + } + + // Create file with appropriate security attributes + const HANDLE hFile = CreateFileW(path.c_str(), GENERIC_WRITE, 0, nullptr, + CREATE_NEW, FILE_ATTRIBUTE_NORMAL, nullptr); + if (hFile == INVALID_HANDLE_VALUE) { + return false; + } + + // Write data in chunks for large files - prevents memory issues + constexpr DWORD CHUNK_SIZE = 64 * 1024; // 64KB chunks + DWORD totalWritten = 0; + + while (totalWritten < data.size()) { + const DWORD bytesToWrite = std::min(CHUNK_SIZE, + static_cast(data.size() - totalWritten)); + DWORD bytesWritten; + + if (!::WriteFile(hFile, data.data() + totalWritten, bytesToWrite, + &bytesWritten, nullptr) || bytesWritten != bytesToWrite) { + CloseHandle(hFile); + DeleteFileW(path.c_str()); // Cleanup partial file + return false; + } + + totalWritten += bytesWritten; + } + + // Ensure data is committed to disk + FlushFileBuffers(hFile); + CloseHandle(hFile); + + return true; +} + +std::vector ReadFile(const std::wstring& path) +{ + const HANDLE hFile = CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ, + nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr); + if (hFile == INVALID_HANDLE_VALUE) { + return {}; + } + + LARGE_INTEGER fileSize; + if (!GetFileSizeEx(hFile, &fileSize)) { + CloseHandle(hFile); + return {}; + } + + // Use memory mapping for files > 64KB - significant performance boost + if (fileSize.QuadPart > 65536) { + const HANDLE hMapping = CreateFileMappingW(hFile, nullptr, PAGE_READONLY, 0, 0, nullptr); + if (hMapping) { + void* const pData = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0); + if (pData) { + std::vector result(static_cast(pData), + static_cast(pData) + fileSize.QuadPart); + UnmapViewOfFile(pData); + CloseHandle(hMapping); + CloseHandle(hFile); + return result; + } + CloseHandle(hMapping); + } + } + + // Fallback to standard read for small files + std::vector buffer(static_cast(fileSize.QuadPart)); + DWORD bytesRead; + + const BOOL success = ::ReadFile(hFile, buffer.data(), static_cast(buffer.size()), + &bytesRead, nullptr); + CloseHandle(hFile); + + return (success && bytesRead == buffer.size()) ? std::move(buffer) : std::vector{}; +} + +//============================================================================== +// RESOURCE EXTRACTION WITH VALIDATION +//============================================================================== + +std::vector ReadResource(int resourceId, const wchar_t* resourceType) +{ + const HRSRC hRes = FindResource(nullptr, MAKEINTRESOURCE(resourceId), resourceType); + if (!hRes) return {}; + + const HGLOBAL hData = LoadResource(nullptr, hRes); + if (!hData) return {}; + + const DWORD dataSize = SizeofResource(nullptr, hRes); + if (dataSize == 0) return {}; + + void* const pData = LockResource(hData); + if (!pData) return {}; + + return std::vector(static_cast(pData), + static_cast(pData) + dataSize); +} + +//============================================================================== +// PROCESS NAME RESOLUTION WITH INTELLIGENT CACHING +//============================================================================== + +static thread_local std::unordered_map g_processCache; +static thread_local DWORD g_lastCacheUpdate = 0; + +[[nodiscard]] std::wstring GetProcessName(DWORD pid) noexcept +{ + // Use CreateToolhelp32Snapshot for reliable process enumeration + const HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hSnapshot == INVALID_HANDLE_VALUE) { + return L"[Unknown]"; + } + + PROCESSENTRY32W pe{}; + pe.dwSize = sizeof(PROCESSENTRY32W); + + if (Process32FirstW(hSnapshot, &pe)) { + do { + if (pe.th32ProcessID == pid) { + CloseHandle(hSnapshot); + return std::wstring(pe.szExeFile); + } + } while (Process32NextW(hSnapshot, &pe)); + } + + CloseHandle(hSnapshot); + return L"[Unknown]"; +} + +std::wstring ResolveUnknownProcessLocal(DWORD pid, ULONG_PTR kernelAddress, + UCHAR protectionLevel, UCHAR signerType) noexcept +{ + // Cache management - refresh every 30 seconds for performance + const DWORD currentTick = static_cast(GetTickCount64()); + if (currentTick - g_lastCacheUpdate > 30000) { + g_processCache.clear(); + g_lastCacheUpdate = currentTick; + } + + // Check cache first - significant performance improvement + if (const auto cacheIt = g_processCache.find(pid); cacheIt != g_processCache.end()) { + return cacheIt->second; + } + + std::wstring processName = L"Unknown"; + + // Multiple resolution strategies for maximum reliability + if (const HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid)) { + wchar_t imagePath[MAX_PATH] = {}; + DWORD bufferSize = MAX_PATH; + + // Try QueryFullProcessImageName first - most reliable method + if (QueryFullProcessImageNameW(hProcess, 0, imagePath, &bufferSize)) { + const std::wstring fullPath(imagePath); + const size_t lastSlash = fullPath.find_last_of(L'\\'); + processName = (lastSlash != std::wstring::npos) ? + fullPath.substr(lastSlash + 1) : fullPath; + } + + CloseHandle(hProcess); + } + + // Fallback to snapshot-based resolution + if (processName == L"Unknown") { + processName = GetProcessName(pid); + } + + // Cache successful resolutions + if (processName != L"Unknown" && processName != L"[Unknown]") { + g_processCache[pid] = processName; + } + + return processName; +} + +//============================================================================== +// PROTECTION LEVEL PARSING WITH OPTIMIZED LOOKUP TABLES +//============================================================================== + +[[nodiscard]] std::optional GetProtectionLevelFromString(const std::wstring& protectionLevel) noexcept +{ + // Static lookup table - compile-time initialization for optimal performance + static const std::unordered_map levels = { + {L"none", static_cast(PS_PROTECTED_TYPE::None)}, + {L"ppl", static_cast(PS_PROTECTED_TYPE::ProtectedLight)}, + {L"pp", static_cast(PS_PROTECTED_TYPE::Protected)} + }; + + if (protectionLevel.empty()) return std::nullopt; + + // Single allocation for case conversion + std::wstring lower = protectionLevel; + std::transform(lower.begin(), lower.end(), lower.begin(), + [](wchar_t c) { return std::towlower(c); }); + + if (const auto it = levels.find(lower); it != levels.end()) { + return it->second; + } + + return std::nullopt; +} + +[[nodiscard]] std::optional GetSignerTypeFromString(const std::wstring& signerType) noexcept +{ + if (signerType.empty()) return std::nullopt; + + // Convert to lowercase for case-insensitive comparison + std::wstring lower = signerType; + std::transform(lower.begin(), lower.end(), lower.begin(), + [](wchar_t c) { return std::towlower(c); }); + + // Direct string comparisons - fastest for small datasets + if (lower == L"none") return static_cast(PS_PROTECTED_SIGNER::None); + if (lower == L"authenticode") return static_cast(PS_PROTECTED_SIGNER::Authenticode); + if (lower == L"codegen") return static_cast(PS_PROTECTED_SIGNER::CodeGen); + if (lower == L"antimalware") return static_cast(PS_PROTECTED_SIGNER::Antimalware); + if (lower == L"lsa") return static_cast(PS_PROTECTED_SIGNER::Lsa); + if (lower == L"windows") return static_cast(PS_PROTECTED_SIGNER::Windows); + if (lower == L"wintcb") return static_cast(PS_PROTECTED_SIGNER::WinTcb); + if (lower == L"winsystem") return static_cast(PS_PROTECTED_SIGNER::WinSystem); + if (lower == L"app") return static_cast(PS_PROTECTED_SIGNER::App); + + return std::nullopt; +} + +//============================================================================== +// STRING REPRESENTATION FUNCTIONS WITH STATIC STORAGE +//============================================================================== + +[[nodiscard]] const wchar_t* GetProtectionLevelAsString(UCHAR protectionLevel) noexcept +{ + // Static strings eliminate repeated allocations + static const std::wstring none = L"None"; + static const std::wstring ppl = L"PPL"; + static const std::wstring pp = L"PP"; + static const std::wstring unknown = L"Unknown"; + + switch (static_cast(protectionLevel)) { + case PS_PROTECTED_TYPE::None: return none.c_str(); + case PS_PROTECTED_TYPE::ProtectedLight: return ppl.c_str(); + case PS_PROTECTED_TYPE::Protected: return pp.c_str(); + default: return unknown.c_str(); + } +} + +[[nodiscard]] const wchar_t* GetSignerTypeAsString(UCHAR signerType) noexcept +{ + // Jump table approach for maximum performance + static const std::wstring none = L"None"; + static const std::wstring authenticode = L"Authenticode"; + static const std::wstring codegen = L"CodeGen"; + static const std::wstring antimalware = L"Antimalware"; + static const std::wstring lsa = L"Lsa"; + static const std::wstring windows = L"Windows"; + static const std::wstring wintcb = L"WinTcb"; + static const std::wstring winsystem = L"WinSystem"; + static const std::wstring app = L"App"; + static const std::wstring unknown = L"Unknown"; + + switch (static_cast(signerType)) { + case PS_PROTECTED_SIGNER::None: return none.c_str(); + case PS_PROTECTED_SIGNER::Authenticode: return authenticode.c_str(); + case PS_PROTECTED_SIGNER::CodeGen: return codegen.c_str(); + case PS_PROTECTED_SIGNER::Antimalware: return antimalware.c_str(); + case PS_PROTECTED_SIGNER::Lsa: return lsa.c_str(); + case PS_PROTECTED_SIGNER::Windows: return windows.c_str(); + case PS_PROTECTED_SIGNER::WinTcb: return wintcb.c_str(); + case PS_PROTECTED_SIGNER::WinSystem: return winsystem.c_str(); + case PS_PROTECTED_SIGNER::App: return app.c_str(); + default: return unknown.c_str(); + } +} + +[[nodiscard]] const wchar_t* GetSignatureLevelAsString(UCHAR signatureLevel) noexcept +{ + // Static buffer for unknown signature levels - thread-safe + switch (signatureLevel) { + case 0x00: return L"None"; + case 0x08: return L"App"; + case 0x0c: return L"Standard"; // Standard DLL verification + case 0x1c: return L"System"; // System DLL verification + case 0x1e: return L"Kernel"; // Kernel EXE verification + case 0x3c: return L"Service"; // Windows service EXE + case 0x3e: return L"Critical"; // Critical system EXE + case 0x07: + case 0x37: return L"WinSystem"; + default: { + static thread_local wchar_t buf[32]; + swprintf_s(buf, L"Unknown (0x%02x)", signatureLevel); + return buf; + } + } +} + +//============================================================================== +// PROCESS DUMPABILITY ANALYSIS WITH HEURISTICS +//============================================================================== + +[[nodiscard]] ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept +{ + ProcessDumpability result{false, L""}; + + // Known undumpable system processes - hardcoded for performance + static const std::unordered_set undumpablePids = { + 4, // System process + 188, // Secure System + 232, // Registry process + 3052 // Memory Compression + }; + + static const std::unordered_set undumpableNames = { + L"System", + L"Secure System", + L"Registry", + L"Memory Compression" + }; + + if (undumpablePids.contains(pid)) { + result.Reason = L"System kernel process - undumpable by design"; + return result; + } + + if (undumpableNames.contains(processName)) { + result.Reason = L"Critical system process - protected by kernel"; + return result; + } + + // Additional heuristics for process dumpability + if (processName == L"[Unknown]" || processName.empty()) { + result.Reason = L"Process name unknown - likely kernel process"; + return result; + } + + // Assume process is dumpable if not in exclusion lists + result.CanDump = true; + result.Reason = L"Process appears dumpable with proper privileges"; + return result; +} + +//============================================================================== +// HEX STRING PROCESSING UTILITIES +//============================================================================== + +[[nodiscard]] bool IsValidHexString(const std::wstring& hexString) noexcept +{ + if (hexString.empty() || (hexString.length() % 2) != 0) { + return false; + } + + return std::all_of(hexString.begin(), hexString.end(), + [](wchar_t c) { + return (c >= L'0' && c <= L'9') || + (c >= L'A' && c <= L'F') || + (c >= L'a' && c <= L'f'); + }); +} + +bool HexStringToBytes(const std::wstring& hexString, std::vector& bytes) noexcept +{ + if (!IsValidHexString(hexString)) { + return false; + } + + bytes.clear(); + bytes.reserve(hexString.length() / 2); + + for (size_t i = 0; i < hexString.length(); i += 2) { + const wchar_t highNibble = hexString[i]; + const wchar_t lowNibble = hexString[i + 1]; + + auto hexToByte = [](wchar_t c) -> BYTE { + if (c >= L'0' && c <= L'9') return static_cast(c - L'0'); + if (c >= L'A' && c <= L'F') return static_cast(c - L'A' + 10); + if (c >= L'a' && c <= L'f') return static_cast(c - L'a' + 10); + return 0; + }; + + const BYTE byte = (hexToByte(highNibble) << 4) | hexToByte(lowNibble); + bytes.push_back(byte); + } + + return true; +} + +//============================================================================== +// PE BINARY PARSING AND MANIPULATION +//============================================================================== + +[[nodiscard]] std::optional GetPEFileLength(const std::vector& data, size_t offset) noexcept +{ + try { + if (data.size() < offset + 64) return std::nullopt; // Not enough data for DOS header + + // Verify DOS signature "MZ" + if (data[offset] != 'M' || data[offset + 1] != 'Z') { + return std::nullopt; + } + + // Get PE header offset from DOS header + DWORD pe_offset; + std::memcpy(&pe_offset, &data[offset + 60], sizeof(DWORD)); + + const size_t pe_header_start = offset + pe_offset; + if (data.size() < pe_header_start + 24) return std::nullopt; + + // Verify PE signature "PE\0\0" + if (std::memcmp(&data[pe_header_start], "PE\0\0", 4) != 0) { + return std::nullopt; + } + + // Parse COFF header for section count + WORD number_of_sections; + std::memcpy(&number_of_sections, &data[pe_header_start + 6], sizeof(WORD)); + + if (number_of_sections == 0) return std::nullopt; + + // Calculate section table location + WORD optional_header_size; + std::memcpy(&optional_header_size, &data[pe_header_start + 20], sizeof(WORD)); + + const size_t section_table_offset = pe_header_start + 24 + optional_header_size; + constexpr size_t section_header_size = 40; + + if (data.size() < section_table_offset + (number_of_sections * section_header_size)) { + return std::nullopt; + } + + // Find the highest file offset + size from all sections + size_t max_end = 0; + for (WORD i = 0; i < number_of_sections; ++i) { + const size_t sh_offset = section_table_offset + (i * section_header_size); + + if (data.size() < sh_offset + 24) { + return std::nullopt; + } + + DWORD size_of_raw, pointer_to_raw; + std::memcpy(&size_of_raw, &data[sh_offset + 16], sizeof(DWORD)); + std::memcpy(&pointer_to_raw, &data[sh_offset + 20], sizeof(DWORD)); + + if (pointer_to_raw == 0) continue; // Skip sections without raw data + + const size_t section_end = pointer_to_raw + size_of_raw; + max_end = std::max(max_end, section_end); + } + + if (max_end > 0) { + const size_t header_end = section_table_offset + number_of_sections * section_header_size; + const size_t file_end = std::max(max_end, header_end); + return std::min(file_end, data.size()); + } + + return std::nullopt; + + } catch (...) { + return std::nullopt; + } +} + +bool SplitCombinedPE(const std::vector& combined, + std::vector& first, + std::vector& second) noexcept +{ + try { + if (combined.empty()) return false; + + // Determine exact size of first PE file + const auto first_size = GetPEFileLength(combined, 0); + + if (!first_size || *first_size <= 0 || *first_size >= combined.size()) { + // Fallback: search for next "MZ" signature + constexpr size_t search_start = 0x200; + const size_t search_offset = (combined.size() > search_start) ? search_start : 0; + + for (size_t i = search_offset; i < combined.size() - 1; ++i) { + if (combined[i] == 'M' && combined[i + 1] == 'Z') { + // Found potential second PE + first.assign(combined.begin(), combined.begin() + i); + second.assign(combined.begin() + i, combined.end()); + return !first.empty() && !second.empty(); + } + } + return false; + } + + // Split at calculated boundary + const size_t split_point = *first_size; + if (split_point >= combined.size()) return false; + + first.assign(combined.begin(), combined.begin() + split_point); + second.assign(combined.begin() + split_point, combined.end()); + + return !first.empty() && !second.empty(); + + } catch (...) { + return false; + } +} + +//============================================================================== +// XOR DECRYPTION UTILITY +//============================================================================== + +[[nodiscard]] std::vector DecryptXOR(const std::vector& encryptedData, + const std::array& key) noexcept +{ + if (encryptedData.empty()) return {}; + + std::vector decrypted; + decrypted.reserve(encryptedData.size()); + + for (size_t i = 0; i < encryptedData.size(); ++i) { + const BYTE decrypted_byte = encryptedData[i] ^ key[i % key.size()]; + decrypted.push_back(decrypted_byte); + } + + return decrypted; +} + +//============================================================================== +// KERNEL ADDRESS UTILITIES +//============================================================================== + +[[nodiscard]] std::optional GetKernelBaseAddress() noexcept +{ + // Implementation depends on kernel driver communication + // This is a placeholder for the actual kernel base address retrieval + return std::nullopt; +} + +} // namespace Utils \ No newline at end of file diff --git a/kvc/common.cpp b/kvc/common.cpp index 8dce31c..376a6f4 100644 --- a/kvc/common.cpp +++ b/kvc/common.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // common.cpp - Core system utilities and dynamic API management // Implements service management, system path resolution, and Windows API abstraction diff --git a/kvc/kvc_crypt.cpp b/kvc/kvc_crypt.cpp index 2be7583..a856387 100644 --- a/kvc/kvc_crypt.cpp +++ b/kvc/kvc_crypt.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // kvc_crypt.cpp #include #include diff --git a/kvc/syscalls.cpp b/kvc/syscalls.cpp index 41324a0..e97d91a 100644 --- a/kvc/syscalls.cpp +++ b/kvc/syscalls.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // syscalls.cpp #include "syscalls.h" #include