KVC - Kernel Vulnerability Capabilities Framework

<div align="center">

Advanced Windows Security Research & Penetration Testing Framework

Comprehensive Ring-0 toolkit for process protection manipulation, memory forensics, advanced credential extraction, and Driver Signature Enforcement control on modern Windows platforms.

</div>

---

📋 Changelog

[30.03.2026]

<details> <summary><strong>💾 Windows 10 DSE Support via SymbolEngine</strong> (click to expand)</summary>

C:\>kvc driver load kvckbd
[*] Loading external driver: kvckbd
[*] CiPolicy section not found in ci.dll. Falling back to SymbolEngine (Windows 10)...
[+] [SymbolEngine] Symbol 'g_CiOptions' resolved to RVA: 0x391B0
[+] Resolved g_CiOptions via SymbolEngine at: 0xFFFFF807192391B0 (RVA: 0x391B0)

Universal DSE bypass — kvc dse off now works on both Windows 10 and Windows 11. The Standard method uses a dual-path approach: first attempts fast PE-section parsing to locate the CiPolicy section (Windows 11), and if not found, automatically falls back to SymbolEngine-based resolution of g_CiOptions from PDB symbols (Windows 10). This ensures compatibility across all supported Windows versions without requiring the --safe flag. Symbol resolution is performed locally using Microsoft Symbol Server — PDB files are downloaded automatically on first use and cached in C:\ProgramData\dbg\sym\.

</details>

---

[29.03.2026]

Browser extraction without closing — Chrome, Edge, and Brave passwords, cookies, and payment data are now extracted while the browser is running. No forced close required. The orchestrator kills only the network-service subprocess (which holds database file locks), lets kvc_crypt.dll read the databases, and the browser continues operating normally. For Edge, a second network-service kill is performed immediately after the DLL receives its configuration — timed to hit just before the Cookies database is opened, because Edge restarts its network service faster than Chrome (~1–2 s vs ~3–5 s).

COM Elevation for Edge (passwords and cookies) — Edge master key decryption now uses the browser's own COM elevation service (IEdgeElevatorFinal, CLSID {1FCBE96C-1697-43AF-9140-2897C7C69767}) for all data types, including passwords. DPAPI (CryptUnprotectData) is used as a fallback only when COM elevation fails. The previous split-key strategy (DPAPI for passwords, COM for cookies) has been removed.

kvc.dat deployment — kvc_pass.exe and kvc_crypt.dll are now distributed as a single combined encrypted file (kvc.dat). Running kvc setup or the one-command irm installer automatically extracts both components and places them in C:\Windows\System32. When kvc export secrets or kvc bp detect these files in System32, full browser extraction (including v10/v20 AES-GCM decryption) is used. Without kvc.dat deployed, the command falls back to the built-in DPAPI method for Edge passwords only.

Legacy CPU support — kvc_pass.exe and kvc_crypt.dll are compiled without AVX/YMM instructions. Both binaries run correctly on 3rd-generation Intel Core processors and older systems with SSE2-only support. No /arch:AVX2 or equivalent — verified with dumpbin /disasm | findstr ymm (no matches).

Static CRT — kvc_pass.exe and kvc_crypt.dll now link the C++ runtime statically (/MT, MultiThreaded). No dependency on vcruntime140.dll or msvcp140.dll. The binaries are self-contained and run on any x64 Windows 10/11 installation without requiring Visual C++ Redistributables.

UnderVolter — EFI undervolting module (Ring-1, Intel only) — KVC supports an optional separate module UnderVolter.dat (available in other-tools/undervolter/), an encrypted UEFI payload that deploys a custom EFI application to the EFI System Partition. The key engineering challenge on OEM Intel platforms is that the BIOS typically enforces two firmware-level locks that block all MSR access regardless of OS privilege level: CFG Lock (blocks MSR 0xE2 — power control) and OC Lock (blocks MSR 0x150 — Intel OC Mailbox, the voltage control interface). UnderVolter solves this without physical BIOS flashing or external tools: running as a UEFI application before the Windows bootloader, it directly patches the hidden Setup EFI NVRAM variable — writing 0x00 to the CFG Lock offset and OC Lock offset extracted from the platform's IFR (Internal Form Representation) dump. Once patched, a reboot causes the BIOS POST to read the modified variable and initialise the CPU with both locks cleared. From that point on, MSR 0x150 writes succeed and UnderVolter applies the configured negative voltage offsets and power-limit values per-domain (IACORE, RING, ECORE, UNCORE, GTSLICE, GTUNSLICE) on every subsequent boot — transparently, before Windows loads. AMD is not supported — the OC Mailbox (MSR 0x150) is an Intel-specific interface; AMD uses a different voltage control architecture. Deployment via kvc undervolter deploy: KVC locates the ESP by GPT partition GUID (C12A7328-F81F-11D2-BA4B-00A0C93EC93B) using FindFirstVolume + IOCTL_DISK_GET_PARTITION_INFO_EX — no drive-letter assignment, no mountvol. Mode A replaces \EFI\BOOT\BOOTX64.EFI (original backed up as BOOTX64.efi.bak); mode B copies to \EFI\UnderVolter\ for a manual UEFI boot entry.

Plundervolt-class research capability — With CFG Lock and OC Lock cleared at firmware level, MSR 0x150 is fully writable from UEFI privilege. This enables systematic exploration of the Plundervolt attack surface (CVE-2019-11157): by adjusting the core voltage offset mid-computation, controlled voltage glitches can be induced into cryptographic operations in SGX enclaves or kernel context — allowing fault-injection research without physical probing equipment. Intel's microcode patch for CVE-2019-11157 blocks MSR 0x150 writes only during SGX enclave execution (EENTER/ERESUME); general undervolting outside SGX context remains fully functional on all supported platforms.

Per-generation CPU configuration via UnderVolter.ini — The module ships with a documented UnderVolter.ini covering Intel 2nd through 15th generation Core processors: Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake (8th/9th gen), Comet Lake, Tiger Lake, Rocket Lake, Alder Lake, Raptor Lake, Meteor Lake, and Arrow Lake (Core Ultra 200S/HX). Each profile is identified by CPUID (family/model) and defines safe voltage offset ranges per domain (IACORE, RING, ECORE, UNCORE, GTSLICE, GTUNSLICE), IccMax limits, and power-limit values where applicable. All offsets include a 20% safety margin based on community-reported stable values. The framework selects the matching profile automatically at boot time via CPUID. The shipped offsets are intentionally conservative — for optimal results, tune the negative voltage values in UnderVolter.ini for your specific chip. Per-generation tuning guidance is available at kvc.pl/repositories/undervolter. Lunar Lake (Core Ultra 200V) is explicitly not supported: its embedded power delivery bypasses the traditional MSR 0x150 OC Mailbox interface entirely. Full documentation, raw binaries, and EFI application source available at kvc.pl/repositories/undervolter. The .dat package is built with KvcXor.exe option 6 (Loader.efi + UnderVolter.efi + UnderVolter.ini -> UnderVolter.dat).

---

GUI process list — kvc list --gui opens a graphical interface for convenient viewing and interaction with long process lists.

Windows Defender & Tamper Protection CLI control — Real-Time Protection and Tamper Protection can be toggled via kvc rtp on/off/status and kvc tp on/off/status.

Next-Generation DSE Bypass — PatchGuard-safe implementation using SeCiCallbacks/ZwFlushInstructionCache redirection. Works with Secure Boot enabled (requires Memory Integrity off). Symbol-based, kernel-version agnostic. Legacy g_CiOptions patch preserved for edge cases.

External driver loading — kvc driver load/reload/stop/remove for seamless unsigned driver management with automatic DSE bypass and restoration.

Module enumeration — kvc modules <process> lists loaded modules in any process including PPL-protected ones, with PE header reads and hex dump support.

Defender exclusions via native WMI — All exclusion operations go directly through the MSFT_MpPreference COM interface (ROOT\\Microsoft\\Windows\\Defender) — no PowerShell spawning. Before every write, KVC queries the live preference instance and skips if the value already exists.

Automatic self-exclusion — On every invocation (including kvc help), KVC silently registers kvc.exe as a Defender process exclusion before any other work begins. No output, no logging. The dedup guard makes it a no-op after the first run.

Process enumeration performance — GetProcessList now performs a single CreateToolhelp32Snapshot to build a PID→name map before the kernel walk, replacing per-process OpenProcess + QueryFullProcessImageName round-trips. Kernel offsets are hoisted outside the loop. Measurable speedup on kvc list.

Full registry hive coverage — Backup, restore, and defrag cover all 8 hives: SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT, BCD (boot configuration, physical path auto-resolved at runtime), NTUSER.DAT and UsrClass.dat (current user, SID-resolved).

Tetris — kvc tetris — because why not. Written in x64 assembly.

Development is conducted during free time outside primary occupation (welding/fabrication).

---

📚 Learn More & Stay Updated

kvc.pl - Official website currently under construction.

<sub>The site will feature in-depth technical articles, case studies, and insights from 30 years of experience