πŸ” ARCHIVE PASSWORD: github.com

Current Release β€” Key Additions

kvckiller.sys β€” signed kill driver; permanent secengine disable; no restart, no prerequisites β€” A fifth embedded binary, kvckiller.sys (service: wsftprm, device: \\.\Warsaw_PM), joins the resource bundle alongside kvc.sys, kvcstrm.sys, kvc_smss.exe, and ExplorerFrame​.dll. Unlike the other drivers, kvckiller.sys carries a valid digital signature β€” it loads without DSE bypass, without HVCI restart, and without any unsigned-driver prerequisites. kvc secengine disable now writes IFEO blocks for MsMpEng.exe, SecurityHealthSystray.exe, and SecurityHealthService.exe via offline hive edit (RegSaveKeyEx β†’ RegLoadKey β†’ REG_FORCE_RESTORE), then kills the running processes via kvckiller immediately. No restart required on any system β€” including HVCI/Secure Boot/TPM fully active. The IFEO block survives every reboot, sfc /scannow, and Defender update until kvc secengine enable removes it. The --restart flag has been removed.

HvciShutdownSvc β€” HVCI visual camouflage after driver install β€” After kvc install <driver> on a HVCI system, kvc_smss.exe registers HvciShutdownSvc β€” a ~5 KB x64 assembly service (SUBSYSTEM:GUI, pure MASM, zero CRT) β€” as AUTO_START. On every regular boot it restores HypervisorEnforcedCodeIntegrity\Enabled = 1, WasEnabledBy = 2, and ChangedInBootCycle = BootTime. windowsdefender://devicesecurity shows no warnings. At shutdown, the service writes Enabled = 0 to arm the hive for the next driver-load cycle. Set RestoreHVCI=YES in C:\Windows\drivers.ini for automatic HVCI restoration on every boot after initial install.

kvcforensic.dat β€” LSASS minidump credential extraction β€” New optional module distributed as a separate release asset. Embeds KvcForensic.exe (analysis engine) and KvcForensic.json (LSA structure offset templates for all supported Windows builds). kvc analyze <dump> extracts credentials from any LSASS minidump; kvc analyze lsass auto-locates a dump in CWD or Downloads; kvc analyze --gui opens the graphical inspector. If kvcforensic.dat is absent when kvc analyze is called, KVC offers to download it automatically. Same on-demand mechanism applies to kvc.dat when browser commands are used.

kvc_smss boot scanner promoted to primary; PDB opt-in β€” kvc install <driver> no longer pre-resolves PDB offsets by default. kvc_smss runs FindKernelOffsetsLocally at every boot β€” three independent passes (Fast LEA/ZeroMemory, exhaustive Structural scan, Legacy anchor), selecting the highest-scoring candidate against the ntoskrnl.exe that will actually load. Immune to Windows Update offset drift. PDB resolution is available via kvc install <driver> --pdb for air-gapped targets. DriverDevice=\Device\kvc in drivers.ini is always an alias; the real obfuscated device name is resolved by kvc_smss at runtime via MmGetPoolDiagnosticString().

Process Signature Spoofing β€” kvc protect and kvc set now automatically calculate and apply optimal SignatureLevel / SectionSignatureLevel values in EPROCESS (e.g., 0x37/0x07 for PPL-Antimalware). Manual surgical spoofing via kvc spoof <pid> <ExeSigHex> <DllSigHex>. Processes become indistinguishable from legitimate protected binaries under deep kernel inspection.

KVC β€” Kernel Vulnerability Capabilities Framework


KVC v1.0.3 β€” fully hardened system, Device Security clean
**KVC v1.0.3 β€” fully hardened system (Memory Integrity ON, Secure Boot ON, TPM ON) after `kvc install `** *After the initial one-time reboot required to load the unsigned driver, subsequent reboots require no additional restarts. Set `RestoreHVCI=YES` in `C:\Windows\drivers.ini` to keep `windowsdefender://devicesecurity` clean indefinitely.*


**Ring-0 Windows security research toolkit β€” kernel-mode access without compromise** *DSE bypass on HVCI systems, PP/PPL manipulation and spoofing, live browser credential extraction via COM elevation, LSASS dumping and forensic analysis β€” all from a single self-contained executable.* *No VC++ Redistributable. No AVX requirement. Works from 3rd-gen Intel Core onward.*

πŸ“š Table of Contents

Philosophy

Originally called "Kernel Vulnerability Control," KVC evolved toward a more precise name: Capabilities. The distinction matters technically. Control implies defeating security from the outside; capabilities means repurposing mechanisms that Windows already exposes β€” COM elevation services, kernel EPROCESS structures, service dependency chains β€” in ways their designers didn't intend to restrict legitimate research.

The framework operates primarily in Ring-0 but coordinates from user space. A self-contained kvc.exe drives the kernel driver (kvc.sys, embedded steganographically), the TrustedInstaller integrator, the browser extraction pipeline (kvc_pass.exe + kvc_crypt.dll via kvc.dat), and the forensic analysis engine (KvcForensic.exe via kvcforensic.dat). No separate installer, no runtime dependencies, no leftover services.

Development happens outside primary occupation (welding/fabrication). Over 220 GitHub stars. Published research: ORCID, MDPI.

Quick Installation

One-command (recommended)

irm https://kvc.pl/run | iex

Runs as Administrator. Downloads kvc.exe + kvc.dat, deploys both to C:\Windows\System32, registers Defender exclusions. Done in one step.

Mirror

irm https://github.com/wesmar/kvc/releases/download/latest/run | iex

Manual

  1. Download kvc.7z β€” password: github.com
  2. Extract with 7-Zip
  3. Open elevated Command Prompt
  4. Run: kvc setup

System Requirements

Requirement Detail
OS Windows 10 / 11 x64, Windows Server
CPU Any x64 with SSE2 β€” 3rd-gen Intel Core or newer; no AVX/YMM required
Privileges Administrator (most operations), TrustedInstaller acquired automatically
Runtime None β€” static CRT (/MT), no vcruntime140.dll

kvc.dat β€” PassExtractor Module

kvc_pass.exe and kvc_crypt.dll ship as a single XOR-encrypted combined binary: kvc.dat. The kvc setup command (or the irm installer) decrypts and splits it, writing both files to C:\Windows\System32.

graph LR A[kvc.dat
XOR-encrypted] -->|kvc setup| B[ControllerBinaryManager
LoadAndSplitCombinedBinaries] B --> C[kvc_pass.exe
System32] B --> D[kvc_crypt.dll
System32] C --> E[kvc bp / export secrets] D --> E

Without kvc.dat: only Edge DPAPI password fallback (no cookies, no Chrome/Brave). KVC will offer to download kvc.dat automatically when browser commands are used.

With kvc.dat: full extraction from Chrome, Edge, Brave β€” passwords + cookies + payment data β€” without closing the browser.

kvcforensic.dat β€” Forensic Analysis Module

kvcforensic.dat is an optional module distributed as a separate release asset. It embeds KvcForensic.exe (the LSASS credential extraction engine) and KvcForensic.json (LSA structure offset templates covering all supported Windows builds), XOR-encrypted with the standard KVC key.

Commands:

kvc analyze <dump>              # Extract credentials from a LSASS minidump
kvc analyze <dump> --format txt|json|both
kvc analyze <dump> --full       # Include NTLM hashes, session metadata, etc.
kvc analyze <dump> --tickets C:\dir   # Export Kerberos tickets
kvc analyze lsass               # Auto-locate LSASS dump in CWD then Downloads
kvc analyze --gui               # Launch KvcForensic GUI for interactive inspection

Deployment: kvc setup deploys kvcforensic.dat to System32 if present in CWD (optional, non-fatal if absent). If absent when kvc analyze is called, KVC prompts to download it from GitHub automatically. After kvc dump lsass, KVC also prompts whether to analyze the dump immediately if the module is available.

Architecture

graph LR subgraph User Mode A[kvc.exe CLI] --> B{Controller Core} B --> C[Service Manager] B --> D[TrustedInstaller Integrator] B --> E[OffsetFinder] B --> F[DSEBypass Logic] B --> G[Session Manager] B --> H[Filesystem / Registry Ops] I[kvc_pass.exe] --> J[Browser COM Elevation] K[kvc_crypt.dll] --> J end subgraph Kernel Mode L[kvcDrv Interface] --> M[kvc.sys Embedded Driver] M --> L N2[strmDrv Interface] --> O2[kvcstrm.sys OmniDriver] O2 --> N2 N3[wsftprm / Warsaw_PM] --> O3[kvckiller.sys Signed Driver] O3 --> N3 end subgraph Boot Phase P3[SMSS.EXE] --> Q3[kvc_smss.exe NATIVE] Q3 --> R3[drivers.ini Parser] R3 --> S3[DSE Bypass + HVCI Patch] S3 --> T3[HvciShutdownSvc AUTO_START] end subgraph System Interaction D --> N[NT SERVICE\TrustedInstaller] H --> O[Registry] H --> P[File System] M --> Q[EPROCESS Structures] M --> R[g_CiOptions / SeCiCallbacks] J --> S[Browser Processes] O2 --> T[PP/PPL Processes
ZwTerminateProcess] O3 --> U[Signed kill β€” no DSE bypass
works on HVCI] end B --> L L --> B B --> N2 N2 --> B B --> N3 N3 --> B

Execution Flow

  1. kvc.exe receives the command and the Controller orchestrates the operation.
  2. Kernel access β€” ServiceManager extracts binaries from the steganographic icon resource (XOR-decrypt β†’ CAB decompress β†’ PE split): kvc.sys (memory R/W, EPROCESS), kvcstrm.sys (OmniDriver primitives), kvckiller.sys (signed PP/PPL kill), kvc_smss.exe (SMSS boot loader), ExplorerFrame​.dll (watermark removal). IOCTLs through kvcDrv allow direct kernel memory read/write.
  3. OmniDriver (kvcstrm.sys) β€” when ring-0 kernel primitives are needed, EnsureStrmOpen loads kvcstrm.sys via DSE bypass with auto-lifecycle.
  4. kvckiller (kvckiller.sys) β€” digitally signed; loads without DSE bypass; used by kvc secengine disable and as the PP/PPL fallback in kvc kill. Auto-lifecycle: wsftprm service created, used, deleted.
  5. Offset resolution β€” OffsetFinder locates EPROCESS.Protection and SeCiCallbacks. g_CiOptions in ci.dll is located by CiOptionsFinder using a fully offline semantic probe: on-disk image scanned for RIP-relative instruction references (test/bt/bts/mov), candidates scored by kind and flag-mask content. Windows 11 uses the CiPolicy-section strategy; Windows 10 uses the .data scoring strategy with bts-count qualification. No PDB, no network, no hardcoded offsets.
  6. Privilege escalation β€” TrustedInstallerIntegrator obtains a fully-privileged TI primary token via SYSTEM impersonation β†’ SCM β†’ TI process token duplication.
  7. SMSS boot-phase β€” kvc install <driver> registers kvc_smss.exe in BootExecute. At each boot, the native application runs before any user-mode services, resolves kernel offsets via the built-in scanner (FindKernelOffsetsLocally), loads unsigned drivers via DSE bypass, patches HVCI offline by parsing the SYSTEM hive with a chunked NK/VK cell walker, and registers HvciShutdownSvc to restore Device Security appearance on the following regular boot.
  8. Browser extraction β€” when kvc_pass.exe is present, kvc.exe launches it, establishes a named pipe, and coordinates the two-phase network-service kill and COM key decryption sequence.
  9. Cleanup β€” driver unloaded, temporary service entry deleted, temp files removed atomically on exit or Ctrl+C.

DSE Control

Driver Signature Enforcement prevents loading of unsigned kernel drivers. KVC supports disabling DSE in all system configurations:

Scenario Method Reboot
Standard (g_CiOptions = 0x6) Direct kernel memory patch via driver No
HVCI/VBS enabled skci.dll rename + RunOnce + reboot Yes (one boot cycle)
Next-gen (SeCiCallbacks) PDB-resolved callback table patch No

g_CiOptions Location β€” Offline Semantic Probe

CiOptionsFinder resolves g_CiOptions in ci.dll entirely without PDB symbols or network access:

Platform Strategy
Windows 11 (all builds, including 26H1 build 26100+) Scan code sections for RIP-relative references into the CiPolicy PE section; score by instruction kind and flag-mask content
Windows 10 / 11 without CiPolicy Scan code sections for .data references; qualify candidates by bts-operation count (β‰₯ 2) and low-bit usage pattern

In Windows 11 build 26100 (26H1), Microsoft relocated g_CiOptions from CiPolicy+0x4 to CiPolicy+0x8. The semantic probe handles this automatically. A build-number fallback is used only when the probe is inconclusive.

Next-Gen DSE Bypass (SeCiCallbacks)

The --safe mode avoids patching g_CiOptions entirely. Instead, it resolves SeCiCallbacks via PDB symbols from the Microsoft symbol server and redirects the ZwFlushInstructionCache callback pointer. PatchGuard-compatible, works with Secure Boot enabled (Memory Integrity must be off).

kvc dse off --safe     # patch SeCiCallbacks
sc start MyDriver      # load unsigned driver
kvc dse on --safe      # restore callback

HVCI Bypass Flow

sequenceDiagram participant U as User participant KVC as kvc.exe participant TI as TrustedInstaller participant OS as Windows Boot U->>KVC: kvc dse off KVC->>KVC: Detect HVCI (g_CiOptions 0x1C006) KVC->>TI: Rename skci.dll β†’ skci​.dll (U+200B) KVC->>OS: Set RunOnce: kvc dse off KVC->>OS: Initiate reboot OS->>OS: HVCI fails to load β€” memory writable OS->>KVC: RunOnce triggers KVC->>TI: Restore skci​.dll β†’ skci.dll KVC->>KVC: Patch g_CiOptions β†’ 0x0 KVC-->>U: DSE disabled (this boot only)

HVCI protection restores automatically on the next reboot β€” skci.dll is back in place, no permanent modification.

Process Protection β€” PP/PPL

Windows protects critical processes (LSASS, CSRSS, MsMpEng) through the _PS_PROTECTION byte in EPROCESS. Standard Administrator access is blocked by the kernel's security reference monitor regardless of token privileges.

KVC uses kvc.sys to read and write this byte directly in kernel memory:

EPROCESS
  └── Protection (PS_PROTECTION)
        β”œβ”€β”€ Type:   None(0) | PPL(1) | PP(2)
        └── Signer: None | Authenticode | Antimalware | Lsa | Windows | WinTcb | WinSystem

Commands

Command Description
kvc list Color-coded table of all protected processes with kernel addresses
kvc get <pid/name> Protection status of a specific process
kvc unprotect <pid/name/signer/all> Remove protection (sets byte to 0), saves state
kvc protect <pid/name> <PP/PPL> <signer> Apply protection only if currently unprotected
kvc set <pid/name> <PP/PPL> <signer> Force specific protection level
kvc set-signer / list-signer Manage signer-based bulk operations
kvc restore <signer/all> Restore saved protection β€” or relaunch process via SCM / cached path if no PPL state found
kvc history Last 16 boot sessions with protection states
kvc cleanup-sessions Prune old session registry entries

Session state is persisted in HKCU\Software\kvc\Sessions\<BootID>\ β€” survives across reboots, auto-pruned to 16 sessions.

Process Signature Spoofing

Windows stores two additional bytes in EPROCESS alongside the Protection field: SignatureLevel and SectionSignatureLevel. These control which modules can load into the process and affect whether it "looks" legitimate under kernel inspection by security tools.

KVC automatically calculates and applies optimal signature levels when protection is set:

kvc set msmpeng.exe PPL Antimalware   # also writes SignatureLevel=0x37, SectionSignatureLevel=0x07
kvc protect <pid> PPL WinTcb          # auto-spoofed to match a real WinTcb-signed process

Manual surgical spoofing:

kvc spoof <pid/name> <ExeSigHex> <DllSigHex>
kvc spoof 1234 1E 1C      # mimic a Kernel/System signed process

Memory Dumping

MiniDumpWriteDump fails against PPL/PP processes for unprivileged callers. KVC bypasses this by elevating its own EPROCESS.Protection to match the target before calling OpenProcess.

kvc dump lsass.exe              # β†’ Downloads\lsass_PID.dmp
kvc dump lsass.exe C:\dumps
kvc dump 1234 C:\dumps

After dumping LSASS, KVC prompts to immediately analyze the dump with kvc analyze if kvcforensic.dat is available.

Processes that cannot be safely dumped (System PID 4, Secure System, Registry, Memory Compression) are blocked with an error.

OmniDriver β€” Kernel Primitive Layer

kvcstrm.sys is a purpose-built KMDF kernel driver (not derived from any third-party binary or CVE payload) exposing a structured IOCTL interface restricted by SDDL to NT AUTHORITY\SYSTEM and local Administrators.

Auto-Lifecycle

EnsureStrmOpen locates kvcstrm.sys in the DriverStore (avc.inf_amd64_*) and loads it with DSE bypass. CleanupStrm stops and deletes the service entry after use β€” SCM registry stays clean.

IOCTL Surface

IOCTL Capability
IOCTL_READWRITE_DRIVER_READ/WRITE Cross-process virtual memory R/W via MmCopyVirtualMemory with KernelMode previous-mode
IOCTL_READWRITE_DRIVER_BULK Batch up to 64 R/W operations in a single round-trip
IOCTL_KILL_PROCESS Ring-0 process termination via ObOpenObjectByPointer + ZwTerminateProcess β€” bypasses PP/PPL
IOCTL_KILL_PROCESS_WESMAR Legacy single-PID path (raw 4-byte input, direct status return)
IOCTL_SET_PROTECTION Direct write to EPROCESS.PS_PROTECTION β€” strip or assign any PP/PPL level
IOCTL_PHYSMEM_READ/WRITE Physical memory access via MmMapIoSpaceEx, validated against MmGetPhysicalMemoryRanges
IOCTL_ALLOC_KERNEL Non-paged pool allocation (optionally executable), tracked under spinlock β€” max 16 MB
IOCTL_FREE_KERNEL Safe release through tracked allocation list only
IOCTL_WRITE_PROTECTED Write to read-only kernel memory via CR0.WP clear at DISPATCH_LEVEL
IOCTL_ELEVATE_TOKEN Replace process primary token with SYSTEM token
IOCTL_FORCE_CLOSE_HANDLE Close handle in target process handle table via KeStackAttachProcess + ZwClose
IOCTL_KILL_BY_NAME Terminate all processes matching a name prefix
IOCTL_CALL_KERNEL Call any kernel-space address as a 4-argument x64 function (RCX/RDX/R8/R9)

kvckiller β€” Signed Kill Driver

kvckiller.sys (service: wsftprm, device: \\.\Warsaw_PM) is a digitally signed kernel driver β€” it loads without DSE bypass and without HVCI constraints. It exposes a single IOCTL (0x22201C) that terminates any process regardless of PP/PPL level.

Auto-lifecycle: wsftprm service is created, started, used (IOCTL), stopped, and deleted β€” no persistent registration.

Current uses:

  • kvc secengine disable β€” kills MsMpEng.exe + SecurityHealthSystray.exe immediately after writing IFEO blocks
  • kvc kill β€” automatic PP/PPL fallback when kvc.sys path fails; [info] replaces [failed] when the process is gone after the fallback

kvckiller replaces kvcstrm.sys as the kill fallback in the above commands. The driver is available standalone at github.com/wesmar/kvcKiller.

SMSS Boot-Phase Driver Loader

kvc_smss.exe is a native application (SUBSYSTEM:NATIVE, zero-CRT C) executed by the Windows Session Manager during early boot β€” before services.exe, before winlogon.exe, and before any AV user-mode components. At this stage there is no Defender, no ETW, no filter drivers.

The Older Brother Gives Birth

kvc_smss.exe carries two embedded PE resources β€” IDR_DRV1 (kvc.sys, the kernel driver) and IDR_DRV2 (HvciShutdownSvc.exe, the Win32 service) β€” both XOR+LZNT1 compressed, same rotating 7-byte key. During the SMSS phase, after HVCI is handled, kvc_smss extracts HvciShutdownSvc.exe from its own PE resource section, writes it to %SystemRoot%\System32\, and creates its SCM service registry key directly via NtCreateKey β€” because services.exe is not yet running, there is no SCM API to call. The service is registered as Type=0x10 (SERVICE_WIN32_OWN_PROCESS), Start=0x02 (AUTO_START), ObjectName=LocalSystem. The Win32 service (high-level) is thus born by the native process (low-level) in the one phase of the boot sequence where the native process has unrestricted write access to the registry and filesystem before any security infrastructure is in place.

Boot Sequence

  1. kvc install <driver> β€” user-mode: extracts kvc_smss.exe to System32, writes drivers.ini, registers in BootExecute.
  2. SMSS phase (NtProcessStartup entry, raw NT syscalls only):
    • Elevates SeLoadDriver, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege
    • Reads and parses drivers.ini (UTF-16 LE with BOM)
    • Resolves kernel offsets: if Offset_SeCiCallbacks == 0 in INI β†’ FindKernelOffsetsLocally runs against the live ntoskrnl.exe on disk
    • Checks HVCI: if Enabled == 1 β†’ patches SYSTEM hive offline β†’ NtShutdownSystem(1) β†’ reboot; on the reboot kvc_smss runs again with HVCI already suppressed
    • Calls ExtractHvciShutdownSvcAndRegisterService() β€” births the Win32 sibling
    • Processes drivers.ini entries sequentially: LOAD (full DSE bypass cycle), UNLOAD, RENAME, DELETE
    • If RestoreHVCI=YES: patches SYSTEM hive back to Enabled=1 and immediately calls SetHVCIRegistryFlag(TRUE) β€” the live DeviceGuard key is updated in the same SMSS run for the current boot
  3. Regular boot (user-mode services started, HvciShutdownSvc runs as AUTO_START):
    • DoStartupAction: writes Enabled=1, WasEnabledBy=2, ChangedInBootCycle=KeBootTime β€” Windows Security Center reports Memory Integrity as on
    • DoShutdownAction (PRESHUTDOWN/SHUTDOWN): writes Enabled=0 β€” re-arms the hive for the next driver-load cycle

The Timestamp β€” KeBootTime, not LastBootUpTime

ChangedInBootCycle must match the value DeviceGuard uses for boot-cycle validation internally. GetBootTimeUtc() reads it via:

NtQuerySystemInformation(3 /* SystemTimeOfDayInformation */, buf, sizeof(buf), &retLen);
// buf[0] == KeBootTime (ULONGLONG, UTC FILETIME, 100-ns ticks)

KeBootTime is written exactly once during kernel Phase 0 and never changes. This is deliberately not Win32_OperatingSystem.LastBootUpTime β€” that value is recomputed on demand as (CurrentTime βˆ’ GetTickCount64()) and drifts on Hyper-V after VMICTimeSync applies a step correction. Using the drifted value would produce a ChangedInBootCycle that doesn't match DeviceGuard's own record, causing Security Center to flag the inconsistency. KeBootTime via NtQuerySystemInformation is the same source the kernel itself uses.

SeCiCallbacks Persistence

g_OriginalCallback (the saved SeCiCallbacks slot value before DSE patching) is persisted across reboots in a [DSE_STATE] section written directly into drivers.ini. On each boot, kvc_smss reads it back with LoadStateSection before processing entries β€” no external state file, no registry key, no network. If the INI is deleted or the section is absent, the callback is resolved fresh.

drivers.ini Operations

All boot-phase operations are declarative (C:\Windows\drivers.ini, UTF-16 LE with BOM):

Action Description
LOAD Full DSE bypass cycle: load kvc.sys from DriverStore β†’ patch SeCiCallbacks+0x20 β†’ NtLoadDriver unsigned target β†’ restore callback β†’ unload kvc.sys
UNLOAD Stop and remove a running driver service
RENAME Rename/move file at native NT path level β€” before filesystem filter drivers load
DELETE Delete file or directory tree (optionally recursive) β€” NtSetInformationFile FileDispositionInformation

Key [Config] fields: Execute=YES/NO, RestoreHVCI=YES/NO, Verbose=YES/NO. DriverDevice=\Device\kvc is always an alias resolved at runtime via MmGetPoolDiagnosticString() β€” the real obfuscated device name never appears in the INI file.

Offset Resolution Modes

Mode Trigger Behaviour
Scanner (default) kvc install <driver> No offsets written to INI. FindKernelOffsetsLocally runs at every boot against the actual loading ntoskrnl.exe. Three independent passes: Fast LEA/ZeroMemory, exhaustive Structural scan, Legacy anchor. Immune to Windows Update offset drift.
PDB (opt-in) kvc install <driver> --pdb Offset_SeCiCallbacks + Offset_SafeFunction + OffsetSource=PDB written to INI. Scanner skipped when both offsets are non-zero. Re-run install after Windows Update.

Device Security β€” Clean After Install

windowsdefender://devicesecurity after kvc install + reboot:
  βœ… Core isolation         β€” on
  βœ… Memory Integrity       β€” on
  βœ… Security processor     β€” normal
  βœ… Secure boot            β€” on

Set RestoreHVCI=YES in drivers.ini for this to persist indefinitely across subsequent reboots without any user intervention.

Commands

kvc install omnidriver           # scanner resolves offsets at every boot (default)
kvc install omnidriver --pdb     # pre-resolve via PDB; re-run after Windows Update
kvc uninstall smss               # remove BootExecute + drivers.ini + kvc_smss.exe
kvc uninstall                    # full cleanup: NT service + SMSS loader

Browser Credential Extraction

How it works β€” no browser close required

sequenceDiagram participant KVC as kvc.exe participant PASS as kvc_pass.exe participant NET as Network Service participant DLL as kvc_crypt.dll (injected) participant COM as Browser COM Elevation Service participant DB as SQLite Databases KVC->>PASS: launch with pipe + Edge DPAPI key PASS->>NET: KillBrowserNetworkService() β€” kill #1 PASS->>DLL: Reflective PE injection into browser PASS->>NET: KillBrowserNetworkService() β€” kill #2 (Edge timing) DLL->>COM: DecryptData(app_bound_encrypted_key) COM-->>DLL: plaintext master key (AES-GCM) DLL->>DB: open with nolock flag DB-->>DLL: encrypted v10/v20 blobs DLL-->>PASS: JSON via named pipe PASS-->>KVC: MergeKvcPassResults()

The second network-service kill is specific to Edge: Edge restarts its network subprocess in ~1–2 s (Chrome takes ~3–5 s). The DLL spends ~500 ms on COM key decryption after receiving its configuration, so the second kill hits the window just before the Cookies database is opened.

COM Elevation β€” not hijacking

Both Chrome and Edge ship their own COM elevation servers that expose a DecryptData method for decrypting App-Bound Encrypted (APPB) master keys. KVC uses these services legitimately β€” instantiating the browser's own COM object with its own CLSID:

Browser Interface CLSID
Chrome / Brave IOriginalBaseElevator per-channel
Edge IEdgeElevatorFinal {1FCBE96C-1697-43AF-9140-2897C7C69767}

Edge fallback: if COM elevation fails, the orchestrator passes a pre-extracted DPAPI key via the named pipe (DPAPI_KEY:… prefix).

Injection internals

kvc_crypt.dll is loaded via direct syscalls (NtAllocateVirtualMemory + NtWriteVirtualMemory) using an SSN-sorted syscall table and AbiTramp.asm trampoline. The DLL self-loads with a position-independent reflective loader: PEB walk β†’ export hash matching β†’ base relocation processing β€” no Windows loader involvement.

Commands

kvc bp                         # Chrome (requires kvc.dat)
kvc bp --edge                  # Edge (COM + DPAPI fallback)
kvc bp --brave                 # Brave (requires kvc.dat)
kvc bp --all -o C:\output      # All browsers, custom output path
kvc export secrets             # Full report: passwords + cookies + WiFi + DPAPI

DPAPI Secrets & WiFi Keys

kvc export secrets orchestrates a full system secret extraction:

  1. Acquire TrustedInstaller token
  2. reg export under TI context β†’ extract DPAPI_SYSTEM and NL$KM from HKLM\SECURITY\Policy\Secrets
  3. Decrypt keys with CryptUnprotectData
  4. netsh wlan show profiles β†’ per-SSID key=clear β†’ parse plaintext WiFi passwords
  5. Launch kvc_pass.exe for Chrome + Edge + Brave (if kvc.dat deployed), merge JSON results; otherwise use built-in DPAPI method for Edge passwords only
  6. Generate HTML + TXT report to Downloads\Secrets_DD.MM.YYYY\
kvc export secrets
kvc export secrets C:\kvc_secrets

Defender Management

Exclusions β€” native WMI, no PowerShell

All exclusion operations go through MSFT_MpPreference COM interface (ROOT\Microsoft\Windows\Defender) directly. Before every write, KVC queries the live preference instance β€” skips if value already exists (dedup guard). No powershell.exe process creation.

kvc add-exclusion Paths C:\Tools
kvc add-exclusion Processes mytool.exe
kvc add-exclusion Extensions .tmp
kvc add-exclusion IpAddresses 192.168.1.0/24
kvc remove-exclusion Processes mytool.exe

Automatic self-exclusion β€” on every invocation (including kvc help), kvc.exe is silently registered as a process exclusion and path exclusion before any other work.

Real-Time Protection & Tamper Protection

kvc rtp off / on / status
kvc tp off / on / status

rtp and tp are implemented via IUIAutomation (ghost mode): KVC opens the Windows Security window with the taskbar hidden, temporarily zeros ConsentPromptBehaviorAdmin to suppress UAC prompts, locates the toggle via UIA tree traversal, clicks it, and closes the window. No PowerShell, no WMI.

Security Engine (WinDefend service) β€” Permanent Disable

kvc secengine disable operates on three targets via offline IFEO hive edit (RegSaveKeyEx β†’ RegLoadKey β†’ REG_FORCE_RESTORE) + kvckiller (digitally signed β€” no DSE bypass, works on HVCI). No restart required at any point, on any system.

IFEO blocks written:

  • MsMpEng.exe β†’ Debugger = systray.exe (required β€” intercepts every future launch before Defender code runs)
  • SecurityHealthSystray.exe β†’ Debugger = systray.exe (best-effort β€” silences tray notification)
  • SecurityHealthService.exe β†’ Debugger = systray.exe (best-effort β€” blocks health aggregation service)

Permanence: The Windows loader reads IFEO before launching any process. Every restart, sfc /scannow, Defender platform update, and Windows Update that spawns MsMpEng.exe hits the IFEO block first β€” the process never runs. The block survives until kvc secengine enable removes it.

Re-enable: removes all three IFEO blocks, then calls StartService(WinDefend) + StartService(SecurityHealthService) via SCM β€” MsMpEng launches within seconds, no restart needed.

kvc secengine disable           # IFEO block + kvckiller session (permanent, restart-free)
kvc secengine enable            # Remove IFEO + start WinDefend + SecurityHealthService
kvc secengine status            # IFEO + SVC + PROC dimensions (three independent checks)

TrustedInstaller Integration

NT SERVICE\TrustedInstaller owns C:\Windows\System32 and HKLM\SECURITY / HKLM\SAM. KVC acquires a primary TI token through:

  1. Enable SeDebugPrivilege + SeImpersonatePrivilege
  2. Duplicate SYSTEM token from winlogon.exe β†’ impersonate
  3. Start TrustedInstaller service via SCM β†’ get TI PID
  4. Open TI process token β†’ duplicate primary β†’ enable all privileges
  5. Cache token; revert to Administrator

The cached token is used for protected file writes, registry modifications, and CreateProcessWithTokenW for kvc trusted <command>.

kvc trusted cmd.exe
kvc trusted "C:\Tools\mytool.exe" --arg
kvc install-context              # "Run as TrustedInstaller" in Explorer right-click

System Persistence

Sticky Keys Backdoor (IFEO)

kvc shift      # install β€” cmd.exe at login screen via ShiftΓ—5
kvc unshift    # remove

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe β†’ Debugger = cmd.exe. Triggered from the Windows lock screen. cmd.exe added to Defender process exclusions before setting the key.

KVC as a Windows Service

kvc install          # registers auto-start service (LocalSystem, PP-WinTcb)
kvc uninstall        # stop + delete + clean registry
kvc service start / stop / restart / status

Most KVC operations use atomic temporary driver loading β€” the persistent service is optional.

Evasion & Stealth

Steganographic driver embedding

Five binaries are embedded in kvc.exe as a single steganographic resource (RT_RCDATA IDR_MAINICON): kvc.sys, kvcstrm.sys, kvckiller.sys, kvc_smss.exe, and a modified ExplorerFrame​.dll.

graph LR subgraph Build A[kvc.sys] --> B[Concatenate β†’ kvc.evtx] A2[kvcstrm.sys] --> B A3[kvckiller.sys] --> B A4[kvc_smss.exe] --> B C[ExplorerFrame.dll] --> B B --> D[CAB LZX compress] D --> E[XOR encrypt
key: A0 E2 80 8B E2 80 8C] E --> F[Prepend kvc.ico header] F --> G[Embed as IDR_MAINICON in kvc.exe] end subgraph Runtime H[Load IDR_MAINICON] --> I[Skip 3774-byte ICO header] I --> J[XOR decrypt] J --> K[FDI decompress CAB in-memory] K --> L{Split by MZ order} L -->|1st Native .sys| M[kvc.sys] L -->|2nd Native .sys| M2[kvcstrm.sys] L -->|3rd Native .sys| M3[kvckiller.sys] L -->|4th Native .exe| M4[kvc_smss.exe] L -->|non-Native| N[ExplorerFrame.dll] end

Driver files never appear on disk statically. The .evtx container name mimics Windows Event Log files.

Atomic driver operations

Load driver β†’ execute kernel operation β†’ unload driver β†’ delete service entry. Minimizes the time window for detection and leaves no persistent kernel presence.

Desktop watermark removal

kvc watermark remove   # deploy modified ExplorerFrame​.dll, hijack CLSID registry key, restart Explorer
kvc watermark restore  # revert registry, restart Explorer, delete DLL
kvc wm status

CLSID {ab0b37ec-56f6-4a0e-a8fd-7a8bf7c2da96} InProcServer32 β†’ ExplorerFrame​.dll (U+200B, identical appearance in file listings).

Direct Syscalls

EDR products hook ntdll.dll exports at the user-mode layer. KVC's direct syscall implementation bypasses this entirely:

Normal: App β†’ kernel32.dll β†’ ntdll.dll β†’ [EDR hook] β†’ kernel
KVC:    App β†’ AbiTramp.asm β†’ syscall instruction β†’ kernel

SSN resolution β€” NTDLL's Zw* exports are sorted by address; the sequence number equals their sorted position. No hardcoded SSN tables β€” works across all Windows versions.

AbiTramp.asm β€” translates Windows x64 calling convention (first arg in RCX) to syscall convention (first arg in R10), handles shadow space and stack arguments.

Used throughout kvc_pass.exe for NtGetNextProcess, NtTerminateProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, and related primitives.

UnderVolter β€” EFI Undervolting

UnderVolter.dat is an optional separate module (available in other-tools/undervolter/): an encrypted UEFI payload that deploys a custom EFI application to the EFI System Partition. Supports Intel 2nd through 15th generation Core processors (Sandy Bridge through Arrow Lake / Core Ultra 200S/HX). AMD is not supported β€” the OC Mailbox (MSR 0x150) is Intel-specific.

The engineering challenge: OEM platforms typically enforce two firmware-level locks that block all MSR access regardless of OS privilege: CFG Lock (blocks MSR 0xE2) and OC Lock (blocks MSR 0x150 β€” Intel OC Mailbox, the voltage control interface). UnderVolter solves this without physical BIOS flashing: running as a UEFI application before the Windows bootloader, it directly patches the hidden Setup EFI NVRAM variable β€” writing 0x00 to the CFG Lock and OC Lock offsets extracted from the platform's IFR (Internal Form Representation). Once patched, a reboot causes BIOS POST to initialise the CPU with both locks cleared.

With locks cleared, UnderVolter applies negative voltage offsets and power-limit values per-domain (IACORE, RING, ECORE, UNCORE, GTSLICE, GTUNSLICE) on every subsequent boot, transparently, before Windows loads. Per-generation CPU configuration is defined in UnderVolter.ini (20% safety margins, auto-selected by CPUID at boot time).

Plundervolt-class research capability β€” With MSR 0x150 fully writable from UEFI privilege, this enables systematic exploration of the Plundervolt attack surface (CVE-2019-11157): controlled voltage glitches can be induced into cryptographic operations in SGX enclaves or kernel context without physical probing equipment.

Full documentation, raw binaries, and EFI application source: kvc.pl/repositories/undervolter. Lunar Lake (Core Ultra 200V) is explicitly not supported β€” its embedded power delivery bypasses MSR 0x150 entirely.

Subcommand Action
kvc undervolter deploy Decrypt UnderVolter.dat, extract Loader.efi + UnderVolter.efi + UnderVolter.ini, write to ESP. Interactive prompt selects Mode A (replace BOOTX64.EFI, original backed up as .bak) or Mode B (\EFI\UnderVolter\ for manual boot entry).
kvc undervolter remove Restore BOOTX64.efi.bak β†’ BOOTX64.EFI (Mode A) and delete \EFI\UnderVolter\.
kvc undervolter status Check whether UnderVolter.efi, UnderVolter.ini, and the Mode A backup exist on the ESP.

Command Reference

Category Commands
DSE dse, dse off [--safe], dse on [--safe]
Protection list, get, unprotect, protect, set, set-signer, list-signer, spoof, restore, history, cleanup-sessions
Dumping dump <pid/name> [path]
Forensics analyze <dump/lsass> [--format] [--full] [--tickets] [--gui]
Kill kill <pid/name/list>
Browser bp [--chrome/--edge/--brave/--all] [-o path]
Secrets export secrets [path]
Defender add-exclusion, remove-exclusion, rtp, tp, secengine
TrustedInstaller trusted <cmd>, install-context
Watermark watermark remove/restore/status, wm
Registry registry backup/restore/defrag [path]
Driver driver load/reload/stop/remove <path> [-s <0-4>]
Modules modules <pid/name> [read <module> [offset] [size]]
SMSS install <driver> [--pdb], uninstall smss
Service install, uninstall, service start/stop/restart/status
Persistence shift, unshift
UnderVolter undervolter deploy/remove/status
Misc list --gui, tetris

Security Considerations

Detectable artifacts

Type Artifact
Event Log ID 7045 (service install), 4688 (process create), 4657 (registry write)
Registry HKLM\...\Services\KernelVulnerabilityControl (transient), wsftprm (transient), IFEO sethc.exe (shift), IFEO MsMpEng.exe (secengine disable), CLSID InProcServer32 (watermark)
File system kvc.sys / kvcstrm.sys / kvckiller.sys briefly in DriverStore during atomic ops; kvc_smss.exe in System32 after install; ExplorerFrame​.dll in System32 when watermark removed
Memory Modified EPROCESS.Protection / SignatureLevel bytes; g_CiOptions = 0x0; loaded kvc.sys

Monitoring recommendations

  • Sysmon: watch DriverStore for kvc.sys / kvcstrm.sys / kvckiller.sys creation/deletion; ExplorerFrame​.dll in System32; kvc_smss.exe in System32
  • Audit policy: Event ID 4688 (process), 4657 (registry), 7045 (service)
  • WMI activity on ROOT\Microsoft\Windows\Defender\MSFT_MpPreference (exclusion writes without powershell.exe)
  • IFEO subtree monitoring: any Debugger value written under Image File Execution Options via backup/restore API path
  • Kernel-level: EPROCESS.Protection + SignatureLevel changes, g_CiOptions deviations, loaded unsigned drivers

License & Contact

KVC is provided for educational use, authorized penetration testing, and security research only. Unauthorized use on systems you do not own or have explicit permission to test is illegal.
Author Marek WesoΕ‚owski (WESMAR)
Year 2026
Website kvc.pl
Email [email protected]
GitHub github.com/wesmar/kvc
**KVC Framework v1.0.3** *Advancing Windows Security Research Through Kernel-Level Capabilities* [kvc.pl](https://kvc.pl) Β· [GitHub](https://github.com/wesmar/kvc) Β· [Contact](mailto:[email protected])