admin/kvc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Aktualizacja: 2025-10-03 00:14:00

Browse Source
This commit is contained in:
wesmar
2025-10-03 00:14:00 +02:00
parent 78f8ca5a7b
commit aadbbc0a6b
5 changed files with 267 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kvc/Controller.h
View File

@@ -94,6 +94,7 @@ public:
bool ListProtectedProcesses() noexcept; bool ListProtectedProcesses() noexcept;
bool GetProcessProtection(DWORD pid) noexcept; bool GetProcessProtection(DWORD pid) noexcept;
bool GetProcessProtectionByName(const std::wstring& processName) noexcept; bool GetProcessProtectionByName(const std::wstring& processName) noexcept;
bool PrintProcessInfo(DWORD pid) noexcept;
// Process protection manipulation with atomic operations // Process protection manipulation with atomic operations
bool SetProcessProtection(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept; bool SetProcessProtection(DWORD pid, const std::wstring& protectionLevel, const std::wstring& signerType) noexcept;

135
kvc/ControllerProcessOperations.cpp
View File

@@ -620,39 +620,73 @@ bool Controller::IsPatternMatch(const std::wstring& processName, const std::wstr
bool Controller::GetProcessProtection(DWORD pid) noexcept { bool Controller::GetProcessProtection(DWORD pid) noexcept {
if (!BeginDriverSession()) { if (!BeginDriverSession()) {
EndDriverSession(true); EndDriverSession(true);
return false; return false;
} }
auto kernelAddr = GetProcessKernelAddress(pid); auto kernelAddr = GetProcessKernelAddress(pid);
if (!kernelAddr) { if (!kernelAddr) {
ERROR(L"Failed to get kernel address for PID %d", pid); ERROR(L"Failed to get kernel address for PID %d", pid);
EndDriverSession(true); // Force cleanup EndDriverSession(true);
return false; return false;
} }
auto currentProtection = GetProcessProtection(kernelAddr.value()); auto currentProtection = GetProcessProtection(kernelAddr.value());
if (!currentProtection) { if (!currentProtection) {
ERROR(L"Failed to read protection for PID %d", pid); ERROR(L"Failed to read protection for PID %d", pid);
EndDriverSession(true); // Force cleanup EndDriverSession(true);
return false; return false;
} }
UCHAR protLevel = Utils::GetProtectionLevel(currentProtection.value()); UCHAR protLevel = Utils::GetProtectionLevel(currentProtection.value());
UCHAR signerType = Utils::GetSignerType(currentProtection.value()); UCHAR signerType = Utils::GetSignerType(currentProtection.value());
// Get signature levels for color determination
auto sigLevelOffset = m_of->GetOffset(Offset::ProcessSignatureLevel);
auto secSigLevelOffset = m_of->GetOffset(Offset::ProcessSectionSignatureLevel);
UCHAR signatureLevel = sigLevelOffset ? m_rtc->Read8(kernelAddr.value() + sigLevelOffset.value()).value_or(0) : 0;
UCHAR sectionSignatureLevel = secSigLevelOffset ? m_rtc->Read8(kernelAddr.value() + secSigLevelOffset.value()).value_or(0) : 0;
std::wstring processName = Utils::GetProcessName(pid);
// Get console handle
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFO csbi;
GetConsoleScreenBufferInfo(hConsole, &csbi);
WORD originalColor = csbi.wAttributes;
if (currentProtection.value() == 0) { if (currentProtection.value() == 0) {
INFO(L"PID %d (%s) is not protected", pid, Utils::GetProcessName(pid).c_str()); INFO(L"PID %d (%s) is not protected", pid, processName.c_str());
} else { } else {
INFO(L"PID %d (%s) protection: %s-%s (raw: 0x%02x)", // Same color logic as list
pid, WORD protectionColor;
Utils::GetProcessName(pid).c_str(), bool hasUncheckedSignatures = (signatureLevel == 0x00 || sectionSignatureLevel == 0x00);
Utils::GetProtectionLevelAsString(protLevel),
Utils::GetSignerTypeAsString(signerType), if (hasUncheckedSignatures) {
currentProtection.value()); protectionColor = FOREGROUND_BLUE | FOREGROUND_INTENSITY;
} else {
bool isUserProcess = (signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::Windows) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinTcb) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinSystem) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::Lsa));
protectionColor = isUserProcess ?
(FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_INTENSITY) :
(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
}
SetConsoleTextAttribute(hConsole, protectionColor);
wprintf(L"[*] PID %d (%s) protection: %s-%s (raw: 0x%02x)\n",
pid,
processName.c_str(),
Utils::GetProtectionLevelAsString(protLevel),
Utils::GetSignerTypeAsString(signerType),
currentProtection.value());
SetConsoleTextAttribute(hConsole, originalColor);
} }
EndDriverSession(true); // Force cleanup EndDriverSession(true);
return true; return true;
} }
@@ -1175,4 +1209,83 @@ bool Controller::RestoreAllProtection() noexcept
void Controller::ShowSessionHistory() noexcept void Controller::ShowSessionHistory() noexcept
{ {
m_sessionMgr.ShowHistory(); m_sessionMgr.ShowHistory();
}
bool Controller::PrintProcessInfo(DWORD pid) noexcept {
std::wstring processName = Utils::GetProcessName(pid);
if (!BeginDriverSession()) {
EndDriverSession(true);
return false;
}
auto kernelAddr = GetProcessKernelAddress(pid);
if (!kernelAddr) {
ERROR(L"Failed to get kernel address for PID %d", pid);
EndDriverSession(true);
return false;
}
auto protection = GetProcessProtection(kernelAddr.value());
if (!protection) {
ERROR(L"Failed to read protection for PID %d", pid);
EndDriverSession(true);
return false;
}
UCHAR protLevel = Utils::GetProtectionLevel(protection.value());
UCHAR signerType = Utils::GetSignerType(protection.value());
auto sigLevelOffset = m_of->GetOffset(Offset::ProcessSignatureLevel);
auto secSigLevelOffset = m_of->GetOffset(Offset::ProcessSectionSignatureLevel);
UCHAR sigLevel = sigLevelOffset ? m_rtc->Read8(kernelAddr.value() + sigLevelOffset.value()).value_or(0) : 0;
UCHAR secSigLevel = secSigLevelOffset ? m_rtc->Read8(kernelAddr.value() + secSigLevelOffset.value()).value_or(0) : 0;
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFO csbi;
GetConsoleScreenBufferInfo(hConsole, &csbi);
WORD originalColor = csbi.wAttributes;
// Display protection with color
if (protection.value() == 0) {
INFO(L"PID %d (%s) is not protected", pid, processName.c_str());
} else {
// Determine color based on signer (same logic as list)
WORD protectionColor;
bool hasUncheckedSignatures = (sigLevel == 0x00 || secSigLevel == 0x00);
if (hasUncheckedSignatures) {
protectionColor = FOREGROUND_BLUE | FOREGROUND_INTENSITY;
} else {
bool isUserProcess = (signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::Windows) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinTcb) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::WinSystem) &&
signerType != static_cast<UCHAR>(PS_PROTECTED_SIGNER::Lsa));
protectionColor = isUserProcess ?
(FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_INTENSITY) : // yellow
(FOREGROUND_GREEN | FOREGROUND_INTENSITY); // green
}
SetConsoleTextAttribute(hConsole, protectionColor);
wprintf(L"[*] PID %d (%s) protection: %s-%s (raw: 0x%02x)\n",
pid, processName.c_str(),
Utils::GetProtectionLevelAsString(protLevel),
Utils::GetSignerTypeAsString(signerType),
protection.value());
SetConsoleTextAttribute(hConsole, originalColor);
}
// Dumpability with inverse colors (black on white)
auto dumpability = Utils::CanDumpProcess(pid, processName, protLevel, signerType);
SetConsoleTextAttribute(hConsole, BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE);
wprintf(L" Dumpability: %s - %s \n",
dumpability.CanDump ? L"Yes" : L"No",
dumpability.Reason.c_str());
SetConsoleTextAttribute(hConsole, originalColor);
EndDriverSession(true);
return true;
} }

90
kvc/Kvc.cpp
View File

@@ -469,68 +469,36 @@ int wmain(int argc, wchar_t* argv[])
} }
} }
else if (command == L"info") else if (command == L"info")
{ {
if (argc < 3) if (argc < 3)
{ {
ERROR(L"Missing PID/process name argument for detailed information"); ERROR(L"Missing PID/process name argument for detailed information");
return 1; return 1;
} }
std::wstring_view target = argv[2]; std::wstring_view target = argv[2];
DWORD targetPid = 0;
DWORD targetPid = 0;
std::wstring targetProcessName; if (IsNumeric(target))
bool protectionResult = false; {
auto pid = ParsePid(target);
// Get comprehensive process info and analyze dumpability with detailed reporting if (!pid)
if (IsNumeric(target)) {
{ ERROR(L"Invalid PID format: %s", target.data());
auto pid = ParsePid(target); return 1;
if (!pid) }
{ targetPid = pid.value();
ERROR(L"Invalid PID format: %s", target.data()); }
return 1; else
} {
targetPid = pid.value(); auto match = g_controller->ResolveNameWithoutDriver(std::wstring(target));
targetProcessName = Utils::GetProcessName(targetPid); if (!match) return 2;
protectionResult = g_controller->GetProcessProtection(targetPid); targetPid = match->Pid;
} }
else
{ return g_controller->PrintProcessInfo(targetPid) ? 0 : 2;
targetProcessName = std::wstring(target); } // Event log clearing with administrative privileges for forensic cleanup
auto match = g_controller->ResolveNameWithoutDriver(targetProcessName);
if (match)
{
targetPid = match->Pid;
targetProcessName = match->ProcessName;
protectionResult = g_controller->GetProcessProtection(targetPid);
}
else
{
return 2;
}
}
// Additional dumpability analysis with detailed reasoning for security assessment
if (protectionResult && targetPid != 0)
{
auto dumpability = Utils::CanDumpProcess(targetPid, targetProcessName);
if (dumpability.CanDump)
{
SUCCESS(L"Process is dumpable: %s", dumpability.Reason.c_str());
}
else
{
ERROR(L"Process is NOT dumpable: %s", dumpability.Reason.c_str());
}
}
return protectionResult ? 0 : 2;
}
// Event log clearing with administrative privileges for forensic cleanup
else if (command == L"evtclear") else if (command == L"evtclear")
{ {
return g_controller->ClearSystemEventLogs() ? 0 : 2; return g_controller->ClearSystemEventLogs() ? 0 : 2;

204
kvc/Utils.cpp
View File

@@ -541,111 +541,127 @@ namespace Utils
} }
// Comprehensive process dumpability analysis with detailed reasoning // Comprehensive process dumpability analysis with detailed reasoning
ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName,
{ UCHAR protectionLevel, UCHAR signerType) noexcept
ProcessDumpability result; {
result.CanDump = false; // Initialize ProcessDumpability result;
result.CanDump = false;
// Known undumpable system processes // Known undumpable system processes
static const std::unordered_set<DWORD> undumpablePids = { static const std::unordered_set<DWORD> undumpablePids = {
4, // System process 4, 188, 232, 3052
188, // Secure System };
232, // Registry process
3052 // Memory Compression
};
static const std::unordered_set<std::wstring> undumpableNames = { static const std::unordered_set<std::wstring> undumpableNames = {
L"System", L"System", L"Secure System", L"Registry", L"Memory Compression"
L"Secure System", };
L"Registry",
L"Memory Compression"
};
if (undumpablePids.find(pid) != undumpablePids.end()) if (undumpablePids.find(pid) != undumpablePids.end())
{ {
result.CanDump = false; result.CanDump = false;
result.Reason = L"System kernel process - undumpable by design"; result.Reason = L"System kernel process - undumpable by design";
return result; return result;
} }
if (undumpableNames.find(processName) != undumpableNames.end()) if (undumpableNames.find(processName) != undumpableNames.end())
{ {
result.CanDump = false; result.CanDump = false;
if (processName == L"System") if (processName == L"System")
result.Reason = L"Windows kernel process - cannot be dumped"; result.Reason = L"Windows kernel process - cannot be dumped";
else if (processName == L"Secure System") else if (processName == L"Secure System")
result.Reason = L"VSM/VBS protected process - virtualization-based security"; result.Reason = L"VSM/VBS protected process - virtualization-based security";
else if (processName == L"Registry") else if (processName == L"Registry")
result.Reason = L"Kernel registry subsystem - critical system component"; result.Reason = L"Kernel registry subsystem - critical system component";
else if (processName == L"Memory Compression") else if (processName == L"Memory Compression")
result.Reason = L"Kernel memory manager - system critical process"; result.Reason = L"Kernel memory manager - system critical process";
else else
result.Reason = L"System process - protected by Windows kernel"; result.Reason = L"System process - protected by Windows kernel";
return result; return result;
} }
// Special case analysis for known processes // Special case analysis for known processes
if (processName == L"csrss.exe" || processName == L"csrss") if (processName == L"csrss.exe" || processName == L"csrss")
{ {
result.CanDump = true; result.CanDump = true;
result.Reason = L"CSRSS (Win32 subsystem) - dumpable with PPL-WinTcb or higher protection"; result.Reason = L"CSRSS (Win32 subsystem) - dumpable with PPL-WinTcb or higher";
return result; return result;
} }
if (pid < 100 && pid != 0) if (pid < 100 && pid != 0)
{ {
result.CanDump = true; result.CanDump = true;
result.Reason = L"Low PID system process - dumping may fail due to protection"; result.Reason = L"Low PID system process - dumping may fail due to protection";
return result; return result;
} }
if (processName == L"[Unknown]") if (processName == L"[Unknown]")
{ {
if (pid < 500) if (pid < 500)
{ {
result.CanDump = true; result.CanDump = true;
result.Reason = L"System process with unknown name - may be dumpable with elevated protection"; result.Reason = L"System process with unknown name - may be dumpable with elevated protection";
} }
else else
{ {
result.CanDump = true; result.CanDump = true;
result.Reason = L"Process with unknown name - likely dumpable with appropriate privileges"; result.Reason = L"Process with unknown name - likely dumpable with appropriate privileges";
} }
return result; return result;
} }
// Pattern-based analysis for virtualization and security software // Pattern-based analysis for virtualization and security software
if (processName.find(L"vmms") != std::wstring::npos || if (processName.find(L"vmms") != std::wstring::npos ||
processName.find(L"vmwp") != std::wstring::npos || processName.find(L"vmwp") != std::wstring::npos ||
processName.find(L"vmcompute") != std::wstring::npos) processName.find(L"vmcompute") != std::wstring::npos)
{ {
result.CanDump = true; result.CanDump = true;
result.Reason = L"Hyper-V process - may require elevated protection to dump"; result.Reason = L"Hyper-V component - dumpable with PPL-WinTcb or higher";
return result; return result;
} }
if (processName.find(L"MsMpEng") != std::wstring::npos || // LSASS - dynamically generate required protection
processName.find(L"NisSrv") != std::wstring::npos || if (processName == L"lsass.exe" || processName == L"lsass")
processName.find(L"SecurityHealthService") != std::wstring::npos) {
{ result.CanDump = true;
result.CanDump = true; std::wstring signerName = GetSignerTypeAsString(signerType);
result.Reason = L"Security software - may require Antimalware protection level to dump"; result.Reason = L"Protected - requires PPL-" + signerName + L" or higher";
return result; return result;
} }
if (processName == L"lsass.exe" || processName == L"lsass") // Defender processes - dynamically generate required protection
{ if (processName == L"MsMpEng.exe" || processName == L"MpDefenderCoreService.exe" ||
result.CanDump = true; processName == L"NisSrv.exe")
result.Reason = L"LSASS process - typically protected, may require PPL-WinTcb or higher"; {
return result; result.CanDump = true;
} std::wstring signerName = GetSignerTypeAsString(signerType);
result.Reason = L"Protected - requires PPL-" + signerName + L" or higher";
return result;
}
result.CanDump = true; // SecurityHealthService
result.Reason = L"Standard user process - should be dumpable with appropriate privileges"; if (processName == L"SecurityHealthService.exe")
return result; {
} result.CanDump = true;
result.Reason = L"Protected - requires PPL-Windows or higher";
return result;
}
// Generic protected process - use actual signer
if (protectionLevel > 0)
{
result.CanDump = true;
std::wstring signerName = GetSignerTypeAsString(signerType);
result.Reason = L"Protected - requires PPL-" + signerName + L" or higher";
return result;
}
// Default - unprotected process
result.CanDump = true;
result.Reason = L"Unprotected process - standard dump privileges sufficient";
return result;
}
// Universal hex string converter - handles registry exports, debug output, and various formats // Universal hex string converter - handles registry exports, debug output, and various formats
bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept

5
kvc/Utils.h
View File

@@ -74,7 +74,8 @@ namespace Utils
std::wstring Reason; std::wstring Reason;
}; };
ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept; ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName,
UCHAR protectionLevel, UCHAR signerType) noexcept;
// Hex string processing utilities for kernel tools // Hex string processing utilities for kernel tools
bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept; bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept;
@@ -99,4 +100,4 @@ namespace Utils
bool EnableConsoleVirtualTerminal() noexcept; bool EnableConsoleVirtualTerminal() noexcept;
const wchar_t* GetProcessDisplayColor(UCHAR signerType, UCHAR signatureLevel, UCHAR sectionSignatureLevel) noexcept; const wchar_t* GetProcessDisplayColor(UCHAR signerType, UCHAR signatureLevel, UCHAR sectionSignatureLevel) noexcept;
} }