So, this one ..> ? should it work ? (i use administrator Acc` directly) Code: D:\Backup>Kpc.exe info lsass.exe [+] Found PsInitialSystemProcess offset: 0xcfc420 [+] Found UniqueProcessId offset: 0x440 [+] Found ProcessProtection offset: 0x87a [-] No process found matching pattern: lsass.exe D:\Backup>Kpc.exe info lsass [+] Found PsInitialSystemProcess offset: 0xcfc420 [+] Found UniqueProcessId offset: 0x440 [+] Found ProcessProtection offset: 0x87a [-] No process found matching pattern: lsass
Indeed! I'll correct it! added after a few minutes ------------------------------------------ I’ve updated the info and replaced the files. From time to time I’ll edit the first post and add CRC=CRC from my own resources. I still have a few things left related to detection and sensitivity of some AVs: Encrypt all strings with XOR using the PE checksum as a key Implement dynamic API loading for driver management calls Generate the service name at runtime Merge .rdata with .text to hide string literals
For the average user, the main practical difference is that my program runs in Ring-0 (kernel mode), whereas Process Hacker operates primarily in Ring-3 (user mode). Here’s a breakdown: Ring-0 vs Ring-3: Ring-0 (kernel mode) allows full access to system memory and hardware. Ring-3 (user mode), where Process Hacker runs, has limited access and cannot directly manipulate protected processes or kernel memory. Protected Processes / PPL: Process Hacker can access some protected processes only via an optional driver, which is limited. My program, running in Ring-0, can interact with these processes more directly and reliably. WinTCB Privilege: Process Hacker does not operate with WinTCB (SeTcbPrivilege) rights; it’s not part of the Trusted Computing Base. While my program runs in kernel mode, it can perform operations that would normally require elevated privileges, giving it a practical edge for advanced tasks. In short, running in Ring-0 makes my program more capable for tasks that require deep system access, which is why it’s more practical than Process Hacker for certain advanced use cases.
What average user? No average user has any idea what this is about....or will ever need this... No offence intended to the dev.
You never even opened Process Hackers, go Options > enable Kernel mode, so you will enter Ring-0 (kernel mode), It is disabled by default so that the average user does not cause any damage. Ask if you don't understand, I'm very good with Process Hacker, your KPC is a good attempt, but that's not it. "Average" sounds better than "stupid," don't you agree?
An average user will never needs to learn about this, why would they? Not bothering to response to the town clown above...
Tested command C:\kvc\kvc.exe unprotect all, after a couple of hours running in unprotected mode, blue screen off death... i am a below average user, don't get the point...
Do you remember what error it was with, I'm interested because of other things, not KVC (that's bulls**t)
Sorry, no ran C:\kvc\kvc.exe list Results: Code: C:\Users\User>C:\kvc\kvc.exe list [+] Found PsInitialSystemProcess offset: 0xfc4aa8 [+] Found UniqueProcessId offset: 0x1d0 [+] Found ProcessProtection offset: 0x5fa [*] Initializing kernel driver component... [+] TrustedInstaller token cached successfully [+] Kernel driver component initialized successfully -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- PID | Process Name | Level | Signer | EXE sig. level | DLL sig. level | Kernel addr. -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- 4 | System [NT Kernel Core] | PP (2) | WinSystem (7) | Kernel (0x1e) | System (0x1c) | 0xffffb705a16a6040 96 | Registry | PP (2) | WinSystem (7) | None (0x00) | None (0x00) | 0xffffb705a17ca080 440 | smss.exe | PPL (1) | WinTcb (6) | Critical (0x3e) | Standard (0x0c) | 0xffffb705a3be6040 708 | csrss.exe | PPL (1) | WinTcb (6) | Critical (0x3e) | Standard (0x0c) | 0xffffb705a5673080 788 | csrss.exe | PPL (1) | WinTcb (6) | Critical (0x3e) | Standard (0x0c) | 0xffffb705a5a33140 808 | wininit.exe | PPL (1) | WinTcb (6) | Critical (0x3e) | Standard (0x0c) | 0xffffb705a5a35080 932 | services.exe | PPL (1) | WinTcb (6) | Critical (0x3e) | Standard (0x0c) | 0xffffb705a5acd080 5480 | svchost.exe | PPL (1) | Windows (5) | Service (0x3c) | Standard (0x0c) | 0xffffb705a7ed9080 -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- [+] Enumerated 8 protected processes [*] Starting atomic cleanup procedure... [+] Atomic cleanup completed successfully C:\Users\User> then ran C:\kvc\kvc.exe unprotect all Code: C:\Users\User> C:\kvc\kvc.exe unprotect all [+] Found PsInitialSystemProcess offset: 0xfc4aa8 [+] Found UniqueProcessId offset: 0x1d0 [+] Found ProcessProtection offset: 0x5fa [*] Initializing kernel driver component... [+] TrustedInstaller token cached successfully [+] Kernel driver component initialized successfully [*] Starting mass unprotection of all protected processes... [+] Removed protection from PID 4 (System [NT Kernel Core]) [+] Removed protection from PID 96 (Registry) [+] Removed protection from PID 440 (smss.exe) [+] Removed protection from PID 708 (csrss.exe) [+] Removed protection from PID 788 (csrss.exe) [+] Removed protection from PID 808 (wininit.exe) [+] Removed protection from PID 932 (services.exe) [+] Removed protection from PID 5480 (svchost.exe) [*] Mass unprotection completed: 8/8 processes successfully unprotected [*] Starting atomic cleanup procedure... [+] Atomic cleanup completed successfully C:\Users\User>C:\kvc\kvc.exe list [+] Found PsInitialSystemProcess offset: 0xfc4aa8 [+] Found UniqueProcessId offset: 0x1d0 [+] Found ProcessProtection offset: 0x5fa [*] Initializing kernel driver component... [+] TrustedInstaller token cached successfully [+] Kernel driver component initialized successfully -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- PID | Process Name | Level | Signer | EXE sig. level | DLL sig. level | Kernel addr. -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- -------+------------------------------+---------+-----------------+-----------------------+-----------------------+-------------------- [+] Enumerated 0 protected processes [*] Starting atomic cleanup procedure... [+] Atomic cleanup completed successfully C:\Users\User>
You can't do that, it's normal that your system will crash sooner or later, the material is too big to go into explanations, whoever gives you the "unprotect all" option is being frivolous, stay away from such non-transparent applications because you'll make a mess of your OS.
It won’t break anything, and you can actually learn a lot while restoring the protection level and the signer. As for Process Hacker – it won’t work on modern systems. The driver simply won’t allow it, I’ve checked. It’s useless, as I mentioned before, only RING-3 works.
It doesn’t work; it doesn’t dump the lsass.exe process. The kernel driver is 20 times larger than mine: 282 KB vs. 14 KB.