KPC: Ultimate Windows Privilege Escalation & Memory Forensics Tool

Discussion in 'MDL Projects and Applications' started by wesmar, Sep 2, 2025.

  1. liliactr

    liliactr MDL Addicted

    Sep 3, 2009
    686
    262
    30
    #61 liliactr, Mar 23, 2026
    Last edited: Mar 23, 2026
  2. liliactr

    liliactr MDL Addicted

    Sep 3, 2009
    686
    262
    30
    #63 liliactr, Mar 23, 2026
    Last edited: Mar 23, 2026
    How can i hide bootbypass dos screen before windows logo and boot like a normal windows. KernelResearchKit does not support .inf loading? Also could not load my sys file. i manually installed driver from inf file. All this are enough for me. Maybe sometime in the future you make a more small and compact KernelResearchKit->UnsignedDriverInstallKit only for loading a unsigned driver at boot and add defender exclution list. Not more.

    "kvc dse" or "kvc dse status" not works and show status. Not much important.
     
  3. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Just realized you’ve been using the BootBypass.exe build. You can actually use it to disable the Defender service and rename MsMpEng.exe simultaneously, while also disabling the WdFilter.sys driver at the boot stage before it even starts. On top of that, you can add file and process exclusions via WMI/COM.
    I don’t want to clutter the thread here, but the whole process can be made completely transparent. I’d have to compile a version of BootBypass for you that shows nothing on the screen (which is obviously doable)—in that case, it can either log to a file or stay completely silent.
    KVC also has the ability to neutralize the defender, but not at system startup
     
  4. mephistooo2

    mephistooo2 MDL Member

    Feb 5, 2008
    164
    358
    10
    @wesmar

    Thank you so much for this wonderful work.

    I understand that SecureBoot is a hardware-based security layer, but I'm wondering if unsigned EFI files can be booted with this application while SecureBoot is enabled?
     
  5. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Not with this specific tool, no. However, I’m planning to release my Black Lotus Gen II this summer, and that’s where the real magic will happen.

    Right now, I’m waiting for the June revocation cycle to hit. Microsoft is expected to finally pull the plug on all the compromised EFI binaries that the original Black Lotus exploited. Once those are officially out of the way in the DBX, I’ll drop the second generation. It’s going to be a much more 'pleasant' and streamlined experience for everyone. Stay tuned.
     
  6. Xadiaris

    Xadiaris MDL Junior Member

    Apr 23, 2008
    64
    23
    0
    You are the best man.
     
  7. Xadiaris

    Xadiaris MDL Junior Member

    Apr 23, 2008
    64
    23
    0
    Is it possible for “kvc dse off” to be permanent?
     
  8. Lenweodd

    Lenweodd MDL Novice

    Mar 9, 2026
    6
    0
    0
    Seems like the BSODs are likely tied to how KVC handles PPL removal rather than just the unprotect call itself.
    Has anyone tested doing selective unprotect (e.g. only LSASS) instead of all to see if stability improves? Could help isolate which process or protection layer actually triggers the crash.
     
  9. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Hello and You have made an excellent progam here!!!
    I am new to this and found your posts. Using Windows 10 Enterprise ltsc, I am only interested in being able to bypass the driver... since I like to have an older version program running that has NO driver signed.
    I use it since the Vista days and now I found your option to Disable that enforcement.
    Is there your option to have this Disabled and stay disabled? Nothing else I need to do right now, just have it permanently.
    In Windows 7 I could press F8 on startup and select to disable that driver enforcement... simple.
    But if it can be made permanently on startup with Windows 10 that would be super great.
    Thanks in advance and keep up your superb work with this!
     
  10. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Please let us know when you have implemented the DSE OFF permanently option.
    I have an old dell laptop with regular bios, now secure boot here. So all those tips on disabling it, is for sercure boot which I do not have.
    Just a simple DSE off will be sufficient and very much appreciated. Thank you in advance.
     

    Attached Files:

  11. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
  12. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Wow, that was a super fast response. Not sure if I get it all, but when I wait until tomorrow and then download your updated version, will that include the option to have the DSE off still enabled after a reboot?
    Because the program I am using with that driver, can only start after a reboot when this DSE is off.
    Thank you.
     
  13. Xadiaris

    Xadiaris MDL Junior Member

    Apr 23, 2008
    64
    23
    0
    #77 Xadiaris, Apr 7, 2026
    Last edited: Apr 7, 2026
    upload_2026-4-7_15-58-58.png

    Hello,
    I get error :)

    I have version from git.

    I think the version available here works well.
     
  14. Xadiaris

    Xadiaris MDL Junior Member

    Apr 23, 2008
    64
    23
    0
  15. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    @wesmar
    IT WORKS!!!!!!!!!!!!
    You are superior and your work just tops! Attached the screen shot of the KVC install and then the Driver, per your instructions. Restart WORKS also!
    Just one question, while booting the pc says something bootloader and blah blah..
    I guess this is on purpose to know something is loading?!!?
    Since I know that I did that I would not need a 'reminder' of it while booting. Just a question if that can be somehow NOT show.
    But, I am glad to have found your great work with this and will from now on refer to you if anybody has issues that can be solved with your work! Phantastic! THANK YOU.
     

    Attached Files:

  16. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    No GitHub update just yet. The previous release was done without proper validation or HVCI (Memory Integrity) disabling during the boot sequence. Windows 10 differs significantly from Windows 11; the offsets when parsing the Enabled entry (switching 1 -> 0) in the
    Code:
    HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
    key are far apart, so I have to "walk" the registry manually to ensure a solid, engineering-grade implementation. In Windows 11, due to on-the-fly defragmentation, there is a constant pattern, which I will reverse-engineer alongside the Windows 10 version to write a proper, universal parser. I will finalize this and silence the alerts to keep the UI clean.

    Writing programs without a standard entry point in the System Native SMSS Manager phase is rare, and GitHub is sparse on examples. Fortunately, I’m utilizing tricks from Iczelion’s tutorials and the demoscene from a quarter-century ago, which are proving extremely useful now.

    As for total stealth: the verbose mode is partially controlled via the
    Code:
    drivers.ini
    file, but soon it will be completely silent. Just have some patience...

    The
    Code:
    BootExecute
    entry can also stay clean. I’m going to use an old trick of mine: naming the early-start executable using a zero-width space. A human eye won't catch it:
    Code:
    [char]0x200B | Set-Clipboard
    Example: "wesmar"
    Copy that into Notepad and check for yourself—there are actually 13 characters between those quotes! :)
    If the forum parses invisible characters, there won't be any effect; perhaps when selecting text, the scroll will be slightly longer

    One more thing: if a keyboard-hooking driver e.g
    Code:
    kvckbd.sys
    (like my from another project) fails to start in this phase, you'll hit a boot loop with no way into the system. Most members here would have to use WinRE or another OS to delete the registry entry or the
    Code:
    C:\Windows\System32\kvc_smss.exe
    file. While the
    Code:
    kvc uninstall smss
    command handles cleanup, it wouldn't be accessible in a loop. That’s why I need to implement a "one-time trial" mechanism and a declaration in the
    Code:
    c:\windows\drivers.ini
    file—once the test run is confirmed successful, you set it to "1" and it's lux!