Current Release — Key Additions

g_CiOptions offline semantic locator — Windows 10 and Windows 11 26H1 — g_CiOptions (the DWORD in ci.dll that controls DSE and HVCI state) is now located without PDB symbols, without network access, and without hardcoded offsets or byte patterns. A new CiOptionsFinder class scans the on-disk ci.dll image for RIP-relative instruction references to the variable and ranks candidates by instruction kind, flag-mask content, and bit-operation count. Two probe strategies cover all supported platforms: CiPolicy section scoring (Windows 11) and .data semantic scoring (Windows 10). Windows 11 build 26100 (26H1) is fully supported — Microsoft moved g_CiOptions from CiPolicy+0x4 to CiPolicy+0x8 in that release; the semantic probe finds the correct offset automatically. On Windows 10, the probe identifies g_CiOptions by its bts-operation signature and low-bit usage pattern — no PDB download occurs. Verified output on Windows 10 19041 (latest updates): RVA=0x391B0, score=1445, hits=85, highMasks=0x3, lowBits=0x1F, bitOps=7, value=0x0001C006.

SMSS Boot-Phase Driver Loader (kvc_smss.exe) — Native application (SUBSYSTEM:NATIVE, zero-CRT C) executed by Session Manager during early boot, before any AV user-mode components. Loads unsigned drivers via DSE bypass, disables HVCI through offline SYSTEM hive patching (chunked NK/VK cell parser), and supports declarative operations via drivers.ini: LOAD, UNLOAD, RENAME, DELETE.

OmniDriver (kvcstrm.sys) — Second embedded KMDF kernel driver exposing a structured IOCTL surface: cross-process virtual memory R/W, batched bulk operations, ring-0 process termination (bypasses PP/PPL), physical memory access, kernel pool management, CR0.WP write-protect bypass, token elevation, and forced handle close. Auto-lifecycle: loaded on demand, service entry removed after use.

Security Engine disable — restart-free — IFEO block + ring-0 ZwTerminateProcess via kvcstrm.sys kills MsMpEng immediately. No reboot required when kvcstrm is available. Use kvc secengine disable --restart for immediate reboot when it isn't.

Browser extraction without closing — Chrome, Edge, and Brave credentials (passwords, cookies, payment data) are now extracted while the browser is running — no forced termination required. The orchestrator kills only the browser's network-service subprocess (the process holding SQLite file locks), not the browser itself; it reconnects automatically within seconds. For Edge, a second network-service kill is issued right after the injected DLL receives its configuration, compensating for Edge restarting its network process faster than Chrome (~1–2 s vs ~3–5 s).

Edge master key decryption now uses IEdgeElevatorFinal (CLSID {1FCBE96C-1697-43AF-9140-2897C7C69767}) for all data types including passwords. The previous split-key strategy — DPAPI for passwords, COM for cookies — has been removed. DPAPI remains as fallback only.

kvc.dat, static CRT, legacy CPU support — kvc_pass.exe and kvc_crypt.dll are distributed as a single encrypted file kvc.dat. Running kvc setup or the one-command irm installer splits and deploys both to C:\Windows\System32 automatically. Without kvc.dat, only Edge DPAPI password fallback is available. Both binaries use static CRT (/MT) — no vcruntime140.dll required. No AVX/YMM instructions — verified with dumpbin /disasm | findstr ymm — runs correctly on 3rd-generation Intel Core processors (SSE2 only).

KVC — Kernel Vulnerability Capabilities Framework

📚 Table of Contents

• Philosophy
• Quick Installation
• kvc.dat — PassExtractor Module
• Architecture
• DSE Control
• Process Protection — PP/PPL
• Memory Dumping
• OmniDriver — Kernel Primitives
• SMSS Boot-Phase Loader
• Browser Credential Extraction
• DPAPI Secrets & WiFi Keys
• Defender Management
• TrustedInstaller Integration
• System Persistence
• Evasion & Stealth
• Direct Syscalls
• Command Reference
• Security Considerations
• License & Contact

Philosophy

Originally called "Kernel Vulnerability Control," KVC evolved toward a more precise name: Capabilities. The distinction matters technically. Control implies defeating security from the outside; capabilities means repurposing mechanisms that Windows already exposes — COM elevation services, kernel EPROCESS structures, service dependency chains — in ways their designers didn't intend to restrict legitimate research.

The framework operates primarily in Ring-0 but coordinates from user space. A self-contained kvc.exe drives the kernel driver (kvc.sys, embedded steganographically), the TrustedInstaller integrator, and the browser extraction pipeline (kvc_pass.exe + kvc_crypt.dll via kvc.dat). No separate installer, no runtime dependencies, no leftover services.

Development happens outside primary occupation (welding/fabrication). Nearly 200 GitHub stars. Published research: ORCID, MDPI.

Quick Installation

One-command (recommended)

irm https://kvc.pl/run | iex

Runs as Administrator. Downloads kvc.exe + kvc.dat, deploys both to C:\Windows\System32, registers Defender exclusions. Done in one step.

Mirror

irm https://github.com/wesmar/kvc/releases/download/latest/run | iex

Manual

1. Download kvc.7z — password: github.com
2. Extract with 7-Zip
3. Open elevated Command Prompt
4. Run: kvc setup

System Requirements

kvc.dat — PassExtractor Module

kvc_pass.exe and kvc_crypt.dll ship as a single XOR-encrypted combined binary: kvc.dat. The kvc setup command (or the irm installer) decrypts and splits it, writing both files to C:\Windows\System32.

Without kvc.dat: only Edge DPAPI password fallback (no cookies, no Chrome/Brave).

With kvc.dat: full extraction from Chrome, Edge, Brave — passwords + cookies + payment data — without closing the browser.

Architecture

Execution Flow

1. kvc.exe receives the command and the Controller orchestrates the operation.
2. Kernel access — ServiceManager extracts kvc.sys from the steganographic icon resource (XOR-decrypt → CAB decompress → PE split), registers a temporary service, and loads the driver. IOCTLs through kvcDrv allow direct kernel memory read/write.
3. OmniDriver (kvcstrm.sys) — when ring-0 process termination or advanced kernel primitives are needed, EnsureStrmOpen loads kvcstrm.sys via DSE bypass with auto-lifecycle: loaded on demand, service entry removed after use. IOCTL_KILL_PROCESS_WESMAR bypasses PP/PPL via ObOpenObjectByPointer + ZwTerminateProcess from kernel context.
4. Offset resolution — OffsetFinder locates EPROCESS.Protection and SeCiCallbacks in ntoskrnl.exe by scanning function code patterns. g_CiOptions in ci.dll is located by CiOptionsFinder using a fully offline semantic probe: the on-disk image is scanned for RIP-relative instruction references (test/bt/bts/mov), candidates are scored by instruction kind and flag-mask content, and the winner is selected without PDB symbols or network access. Windows 11 uses the CiPolicy-section strategy; Windows 10 uses the .data scoring strategy with bts-count qualification.
5. Privilege escalation — TrustedInstallerIntegrator obtains a fully-privileged TI primary token via SYSTEM impersonation → SCM → TI process token duplication.
6. SMSS boot-phase — kvc install <driver> registers kvc_smss.exe in BootExecute. On next boot, the native application runs before any user-mode services, loads unsigned drivers via DSE bypass, and optionally patches HVCI offline by parsing the SYSTEM hive with a chunked NK/VK cell walker.
7. Browser extraction — when kvc_pass.exe is present, kvc.exe launches it, establishes a named pipe, and coordinates the two-phase network-service kill and COM key decryption sequence.
8. Cleanup — driver unloaded, temporary service entry deleted, temp files removed atomically on exit or Ctrl+C.

DSE Control

Driver Signature Enforcement prevents loading of unsigned kernel drivers. KVC supports disabling DSE in all system configurations:

g_CiOptions Location — Offline Semantic Probe

Before any DSE operation, KVC must locate g_CiOptions in the live ci.dll kernel image. The address is not exported and varies by Windows build. CiOptionsFinder resolves it without PDB symbols and without network access:

In Windows 11 build 26100 (26H1), Microsoft relocated g_CiOptions from CiPolicy+0x4 to CiPolicy+0x8. The semantic probe handles this automatically — the correct slot wins by reference count regardless of offset. A build-number fallback (+0x4 pre-26100, +0x8 from 26100) is used only when the probe is inconclusive.

The approach differs from typical PoC implementations that use a fixed RVA, a byte-pattern signature scan, or a PDB symbol lookup. All recognisable instruction patterns and scoring weights were derived from IDA analysis of ci.dll across multiple builds. Any build compiled from the same source will produce the same observable code patterns around g_CiOptions.

Next-Gen DSE Bypass (SeCiCallbacks)

The --safe mode avoids patching g_CiOptions entirely. Instead, it resolves SeCiCallbacks via PDB symbols from the Microsoft symbol server and redirects the ZwFlushInstructionCache callback pointer. PatchGuard-compatible, works with Secure Boot enabled (Memory Integrity must be off).

kvc dse off --safe     # patch SeCiCallbacks
sc start MyDriver      # load unsigned driver
kvc dse on --safe      # restore callback

HVCI Bypass Flow

HVCI protection restores automatically on the next reboot — skci.dll is back in place, no permanent modification.

Process Protection — PP/PPL

Windows protects critical processes (LSASS, CSRSS, MsMpEng) through the _PS_PROTECTION byte in EPROCESS. Standard Administrator access is blocked by the kernel's security reference monitor regardless of token privileges.

KVC uses kvc.sys to read and write this byte directly in kernel memory:

EPROCESS
  └── Protection (PS_PROTECTION)
        ├── Type:   None(0) | PPL(1) | PP(2)
        └── Signer: None | Authenticode | Antimalware | Lsa | Windows | WinTcb | WinSystem

Commands

Session state is persisted in HKCU\Software\kvc\Sessions\<BootID>\ — survives across reboots, auto-pruned to 16 sessions.

Memory Dumping

MiniDumpWriteDump fails against PPL/PP processes for unprivileged callers. KVC bypasses this by elevating its own EPROCESS.Protection to match the target before calling OpenProcess.

kvc dump lsass.exe              # → Downloads\lsass_PID.dmp
kvc dump lsass.exe C:\dumps
kvc dump 1234 C:\dumps

Processes that cannot be safely dumped (System PID 4, Secure System, Registry, Memory Compression) are blocked with an error — attempting them causes system instability.

OmniDriver — Kernel Primitive Layer

kvcstrm.sys is the second embedded KMDF kernel driver (alongside kvc.sys), purpose-built from scratch — not derived from any third-party binary or CVE payload. It exposes a structured IOCTL interface restricted by SDDL to NT AUTHORITY\SYSTEM and local Administrators (D:P(A;;GA;;;SY)(A;;GA;;;BA)).

Auto-Lifecycle

kvcstrm is not permanently registered. EnsureStrmOpen locates kvcstrm.sys in the DriverStore (avc.inf_amd64_*) and loads it with DSE bypass. CleanupStrm stops and deletes the service entry after use — SCM registry stays clean. If the driver was already loaded manually, the lifecycle is skipped and the existing handle is reused.

IOCTL Surface

Current Usage

Only a subset is surfaced through current KVC commands:

• IOCTL_KILL_PROCESS_WESMAR — used by kvc kill (PP/PPL fallback) and kvc secengine disable (immediate engine termination)
• IOCTL_SET_PROTECTION — available via kvc.sys; kvcstrm path not yet wired as a command

The remaining primitives are implemented and functional — planned foundation for future capabilities.

Browser Credential Extraction

How it works — no browser close required

The second network-service kill is specific to Edge: Edge restarts its network subprocess in ~1–2 s (Chrome takes ~3–5 s). The DLL spends ~500 ms on COM key decryption after receiving its configuration, so the second kill hits the window just before the Cookies database is opened.

COM Elevation — not hijacking

Both Chrome and Edge ship their own COM elevation servers that expose a DecryptData method for decrypting App-Bound Encrypted (APPB) master keys. KVC uses these services legitimately — instantiating the browser's own COM object with its own CLSID, not substituting a rogue implementation:

Edge fallback: if COM elevation fails, the orchestrator passes a pre-extracted DPAPI key via the named pipe (DPAPI_KEY:… prefix).

Injection internals

kvc_crypt.dll is loaded via direct syscalls (NtAllocateVirtualMemory + NtWriteVirtualMemory) using an SSN-sorted syscall table and AbiTramp.asm trampoline (R10/RCX argument marshaling). The DLL self-loads with a position-independent reflective loader: PEB walk → export hash matching → base relocation processing — no Windows loader involvement.

Commands

kvc bp                         # Chrome (requires kvc.dat)
kvc bp --edge                  # Edge (COM + DPAPI fallback)
kvc bp --brave                 # Brave (requires kvc.dat)
kvc bp --all -o C:\output      # All browsers, custom output path
kvc export secrets             # Full report: passwords + cookies + WiFi + DPAPI

DPAPI Secrets & WiFi Keys

kvc export secrets orchestrates a full system secret extraction:

1. Acquire TrustedInstaller token
2. reg export under TI context → extract DPAPI_SYSTEM and NL$KM from HKLM\SECURITY\Policy\Secrets
3. Decrypt keys with CryptUnprotectData
4. netsh wlan show profiles → per-SSID key=clear → parse plaintext WiFi passwords
5. Launch kvc_pass.exe for Chrome + Edge (if kvc.dat deployed), merge JSON results via MergeKvcPassResults; otherwise use built-in DPAPI method for Edge passwords only
6. Generate HTML + TXT report to Downloads\Secrets_DD.MM.YYYY\

kvc export secrets
kvc export secrets C:\kvc_secrets

Defender Management

Exclusions — native WMI, no PowerShell

All exclusion operations go through MSFT_MpPreference COM interface (ROOT\Microsoft\Windows\Defender) directly. Before every write, KVC queries the live preference instance — skips if value already exists (dedup guard). No powershell.exe process creation.

kvc add-exclusion Paths C:\Tools
kvc add-exclusion Processes mytool.exe
kvc add-exclusion Extensions .tmp
kvc add-exclusion IpAddresses 192.168.1.0/24
kvc remove-exclusion Processes mytool.exe

Automatic self-exclusion — on every invocation (including kvc help), kvc.exe is silently registered as a process exclusion before any other work.

Real-Time Protection & Tamper Protection

kvc rtp off / on / status
kvc tp off / on / status

Security Engine (WinDefend service)

Disabling writes Debugger = systray.exe to HKLM\...\Image File Execution Options\MsMpEng.exe via offline IFEO hive edit (RegSaveKeyEx → RegLoadKey → modify → RegRestoreKey). Immediately after, kvcstrm.sys is loaded via DSE bypass and kills all running Defender processes (MsMpEng.exe, NisSrv.exe, MpCmdRun.exe, MpDefenderCoreService.exe) via ring-0 ZwTerminateProcess — bypasses PPL-Antimalware. No restart required when kvcstrm is available. If kvcstrm cannot be loaded, use --restart for immediate reboot.

Enabling removes the IFEO block and calls StartService(WinDefend) via SCM — MsMpEng launches within seconds, no restart needed.

kvc secengine disable           # IFEO block + kernel kill (restart-free with kvcstrm)
kvc secengine disable --restart # IFEO block + immediate reboot (when kvcstrm unavailable)
kvc secengine enable            # Remove IFEO + start WinDefend (no restart)
kvc secengine status            # IFEO + SVC + PROC dimensions

TrustedInstaller Integration

NT SERVICE\TrustedInstaller owns C:\Windows\System32 and HKLM\SECURITY / HKLM\SAM. KVC acquires a primary TI token through:

1. Enable SeDebugPrivilege + SeImpersonatePrivilege
2. Duplicate SYSTEM token from winlogon.exe → impersonate
3. Start TrustedInstaller service via SCM → get TI PID
4. Open TI process token → duplicate primary → enable all privileges
5. Cache token; revert to Administrator

The cached token is used for protected file writes, registry modifications, and CreateProcessWithTokenW for kvc trusted <command>.

kvc trusted cmd.exe
kvc trusted "C:\Tools\mytool.exe" --arg
kvc install-context              # "Run as TrustedInstaller" in Explorer right-click

System Persistence

Sticky Keys Backdoor (IFEO)

kvc shift      # install — cmd.exe at login screen via Shift×5
kvc unshift    # remove

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe → Debugger = cmd.exe. Triggered from the Windows lock screen. cmd.exe added to Defender process exclusions before setting the key.

KVC as a Windows Service

kvc install          # registers auto-start service (LocalSystem, PP-WinTcb)
kvc uninstall        # stop + delete + clean registry
kvc service start / stop / restart / status

Most KVC operations use atomic temporary driver loading — the persistent service is optional.

SMSS Boot-Phase Driver Loader

kvc_smss.exe is a native application (SUBSYSTEM:NATIVE, zero-CRT C) executed by the Windows Session Manager during early boot — before services.exe, before winlogon.exe, and critically, before any AV user-mode components initialise. At this stage there is no Defender, no ETW, no filter drivers — just the kernel and the hardware.

How It Works

1. kvc install <driver> — extracts kvc_smss.exe to C:\Windows\System32\, resolves symbol offsets from ntoskrnl.exe PDB (cached locally, one-time download), and writes C:\Windows\drivers.ini with a populated [Config] section and driver entry.
2. Registers kvc_smss in the BootExecute registry value under Session Manager.
3. On next boot, SMSS runs kvc_smss.exe as a native application — no user-mode, no CRT, raw NT syscalls only.

drivers.ini Operations

All boot-phase operations are declarative, defined in drivers.ini (UTF-16 LE with BOM):

HVCI Patching — Chunked NK/VK Parser

If Memory Integrity is active, kvc_smss.exe disables HVCI by patching the offline SYSTEM hive directly. It opens \SystemRoot\System32\config\SYSTEM with FILE_OPEN_FOR_BACKUP_INTENT, scans in 1 MB chunks (256-byte overlap), finds the HypervisorEnforcedCodeIntegrity key, follows ValuesListOffset to the VK cell array, validates the Enabled REG_DWORD, and writes 0 or 1 with read-back verification. This works identically on Windows 10 and 11 because the hive file format is stable since NT 4.0 — the parser never assumes value proximity to the key (values can be megabytes away on Win10, adjacent on Win11 after defragmentation).

kvc install omnidriver     # register driver + write drivers.ini + register in BootExecute
kvc uninstall smss         # remove BootExecute + drivers.ini + kvc_smss.exe from System32
kvc uninstall              # full cleanup: NT service + SMSS loader

Evasion & Stealth

Steganographic driver embedding

Four binaries are embedded in kvc.exe as a single steganographic resource (RT_RCDATA IDR_MAINICON): kvc.sys (kernel driver), kvcstrm.sys (OmniDriver kernel primitives), kvc_smss.exe (SMSS boot-phase loader), and a modified ExplorerFrame.dll (U+200B in name, watermark removal).

Driver files never appear on disk statically. The .evtx container name mimics Windows Event Log files. Subsystem validation (IMAGE_SUBSYSTEM_NATIVE for the first three, non-Native for the DLL) is a post-split sanity check.

Atomic driver operations

Load driver → execute kernel operation → unload driver → delete service entry. Minimizes the time window for detection and leaves no persistent kernel presence.

Desktop watermark removal

kvc watermark remove   # deploy modified ExplorerFrame​.dll, hijack CLSID registry key, restart Explorer
kvc watermark restore  # revert registry, restart Explorer, delete DLL
kvc wm status

CLSID {ab0b37ec-56f6-4a0e-a8fd-7a8bf7c2da96} InProcServer32 → ExplorerFrame​.dll (U+200B, identical appearance in file listings).

Direct Syscalls

EDR products hook ntdll.dll exports at the user-mode layer. KVC's direct syscall implementation bypasses this entirely:

Normal: App → kernel32.dll → ntdll.dll → [EDR hook] → kernel
KVC:    App → AbiTramp.asm → syscall instruction → kernel

SSN resolution — NTDLL's Zw* exports are sorted by address; the sequence number equals their sorted position. No hardcoded SSN tables — works across all Windows versions.

AbiTramp.asm — translates Windows x64 calling convention (first arg in RCX) to syscall convention (first arg in R10), handles shadow space and stack arguments.

Used throughout kvc_pass.exe for NtGetNextProcess, NtTerminateProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, and related primitives.

Command Reference

Security Considerations

Detectable artifacts

Monitoring recommendations

• Sysmon: watch kvc.sys creation/deletion in DriverStore, ExplorerFrame​.dll in System32
• Audit policy: Event ID 4688 (process), 4657 (registry), 7045 (service)
• WMI activity on ROOT\Microsoft\Windows\Defender\MSFT_MpPreference instead of powershell.exe for exclusion changes
• Kernel-level tools: EPROCESS.Protection changes, g_CiOptions deviations from baseline

License & Contact

KVC is provided for educational use, authorized penetration testing, and security research only. Unauthorized use on systems you do not own or have explicit permission to test is illegal.