KPC: Ultimate Windows Privilege Escalation & Memory Forensics Tool

Discussion in 'MDL Projects and Applications' started by wesmar, Sep 2, 2025.

  1. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Again, Perfect!
    At least so far on my Windows 10 ALL IS GOOD with this.
    So unless anything 'happens' I will have it stay like that. Would not know what could be done better in my case. And for the boot entry that pop up during boot, I think I won't mind. That way I am reminded that I have kvc ON with that driver. So no harm at all.
    To have the DSE option permanently is the very very best. Thank you!
     
  2. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    I switched to the smart, quiet version, where disabling memory integrity during early boot works. The link is the same. Default entry: Verbose=NO in drivers.ini
    P.S - I'll upload it to GitHub in a few hours with an updated detailed description
     
  3. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Perfect, sounds good. So I do get that newer version from your previous link and put the kvc.exe into /system32 ? Then enable it again or do I first disable it?
    Or do I just put that new .exe into /system32 and it will be 'quiet'? BTW, in drivers.ini it is already saying Verbose: NO.
    Lastly, I do not have that memory check in my bios or in win10. So does your new version still work with MY system as before?
    Just asking, since it works now and I do not want to break it ;)
     
  4. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10

    Before anything: back up your current kvc.exe

    Copy the existing binary somewhere safe just in case, though you should be fine. I've tested this build on both Windows 10 and Windows 11.

    The correct update procedure

    This is the part that matters most. Do NOT simply drop the new kvc.exe into System32 and leave it at that. The reason is that kvc_smss.exe — the native boot-phase component that does the actual early-load work — is embedded inside kvc.exe as a resource. The copy currently sitting in your System32 is from your previous install and does not match the new build.

    The correct sequence is:

    Code:
    kvc uninstall smss
    This removes the BootExecute registry entry, deletes C:\Windows\drivers.ini, and removes the old kvc_smss.exe from System32. Then replace kvc.exe in System32 with the new build from the GitHub link, and run:

    Code:
    kvc install YOUR_DRIVER
    This single command does three things automatically:
    1. Extracts the new kvc_smss.exe from the embedded resource and writes it to C:\Windows\System32\
    2. Downloads the ntoskrnl.exe PDB from the Microsoft Symbol Server (cached in C:\ProgramData\dbg\sym\ for subsequent runs) and resolves the two required kernel offsets — SeCiCallbacks and ZwFlushInstructionCache
    3. Writes a fresh C:\Windows\drivers.ini with the correct Offset_SeCiCallbacks and Offset_SafeFunction values for your exact running kernel, then re-registers kvc_smss in BootExecute

    On the offsets — this is why you run kvc install after every Windows update

    Microsoft changes these kernel offsets with cumulative updates. The offsets in your current drivers.ini are valid for whichever ntoskrnl.exe build was running when you originally installed. After a Windows update — or after swapping to a new kvc.exe build — kvc install YOUR_DRIVER re-resolves them from the live PDB for your current kernel. The PDB is the authoritative offset map. No manual editing of drivers.ini required.

    Your Verbose=NO is correct

    kvc_smss.exe runs silently during the boot phase. No screen output is expected with Verbose=NO.

    Regarding Memory Integrity / HVCI

    You don't have it enabled, so it's a non-issue. The HVCI handling path in the new build exists for systems that do have it enabled — it patches the SYSTEM hive offline and schedules an extra reboot cycle. Since your system doesn't have HVCI, execution goes straight through the standard DSE bypass cycle and loads your driver exactly as before. Nothing changes for you there.

    tl;dr

    Code:
    kvc uninstall smss
    ; replace kvc.exe in System32 with the new build
    kvc install YOUR_DRIVER
    Your driver will be back on the BootExecute list with a fresh ini and correctly resolved offsets for your current kernel build. Should work exactly as it did before.
     
  5. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    #85 TheViking99, Apr 7, 2026
    Last edited by a moderator: Apr 8, 2026
    Thank you for this excellent explanation. My only question before I do all of it: What exactly will change for me, for the better? Right now it works as it is. Maybe I did not get it what it is. Was the version before not ready?
    I understand you make this for many different versions of Win, 10 and 11 and many have newer bios, and so on, but for me with my 'old' laptop, it works right now.
    Of couse I don't want to get Blue screen... somehow. You are the expert and if you say this last version is xxx, then I will go ahead.
    Thank you again.

    Ok, just did all this. However, it did not download anything new from MS. Attached is the result. Is all this ok now?
     

    Attached Files:

  6. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    With the new build, a few things directly relevant to your setup:

    Verbose=NO — total silence during deployment

    With Verbose=NO in drivers.ini, kvc_smss.exe produces zero screen output during the boot phase — which is the correct setting for a production deployment. If you ever need to debug a boot sequence, flip it to Verbose=YES temporarily and you'll see the full operation log on screen during POST. Set it back to NO afterwards.

    drivers.ini now ships with additional commented-out sections

    The generated drivers.ini now includes two pre-scaffolded but commented-out sections:

    Code:
    [RenameX]
    ; Action=RENAME
    ; SourcePath=
    ; TargetPath=
    ; ReplaceIfExists=NO
    
    [DeleteX]
    ; Action=DELETE
    ; DeletePath=
    ; RecursiveDelete=NO
    
    These are inert by default — the parser ignores commented lines. They're there as a reference if you ever need to schedule a file rename or deletion at the native NT layer during boot, before any filesystem filter drivers are active. For your current use case, just leave them as-is.

    Regarding Secure Boot / Memory Integrity — not relevant for you right now, but good to know

    Since you confirmed you don't have Memory Integrity (HVCI) enabled, RestoreHVCI=NO is the correct setting and nothing changes for you. For reference: if you ever end up on a system with HVCI active, setting RestoreHVCI=YES instructs kvc_smss to patch the offline SYSTEM hive directly — disabling Memory Integrity at the raw binary level before the driver load, then scheduling a restore on the next cycle so the system comes back up clean. The hive parser handling that is now significantly more robust than the previous implementation, so that path is safe to use when needed.

    For your system — everything works exactly as before, just quieter.
     
  7. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    And you are again: Perfectly correct!!!
    Thank you very much. Your instructions and explanations are among the very best there are!!!
    I just rebooted and this info did not come up.
    So I can now have this stay? I do definately no win updates or so. And since you constantly improve your features, I just don't want to get tempted... you know what I mean.
    Why fix is its not broken. Its quiet now as you say and it WORKS. That is all I at least need for now.
    So thank you very much for your perfect and complete help with this!!!
     
  8. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Yes, especially since now that boot screen of off. That requires that new/latest version, correct?!
     
  9. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    #90 wesmar, Apr 7, 2026
    Last edited: Apr 7, 2026
    (OP)
    Correct — and that's exactly why the silent boot path matters here.

    To give you some context on what's packed in that binary: the icon resource in kvc.exe is ~34 KB — the raw icon itself is ~4 KB, the remaining ~30 KB is a steganographic container carrying four embedded components compiled from ASM/C/C++:

    • kvc.sys — the signed BYOVD primitive
    • kvcstrm.sys — the purpose-built kernel primitive driver; IOCTL surface covers cross-process memory R/W, PP/PPL stripping, physical memory access, token elevation and more — currently only a fraction of that is wired into the command surface
    • kvc_smss.exe — the NATIVE subsystem boot-phase loader, pure C, no CRT, runs under SMSS before any usermode security stack is online
    • ExplorerFrame.dll — the watermark removal library

    The DLL is the one component I still want to revisit — it'll need an update to stay aligned with upcoming developer builds. The rest is stable.

    All of that fits in what looks like a standard application icon. No external dependencies, no dropped files until you explicitly run an install command.
    upload_2026-4-7_23-19-4.png
     
  10. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Ok, sounds good. Just to make sure:
    what does it mean 'upcoming developer builds'? Different Windows updates?
    If I keep my version "as it is" and will never update anything, do I need still to get Your updated versions? Or can I keep it now as it is... working ;)
     
  11. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    To answer the question regarding updates: If you decide to keep your current Windows version exactly as it is and completely block all updates, you do not need to download updated versions of the tool. The memory offsets we use to bypass security are directly tied to your specific kernel binary, ntoskrnl.exe. As long as that file remains unchanged by Windows Updates, the structure addresses remain constant and the tool will function indefinitely.

    "Upcoming developer builds" refers to preview versions like those from the Windows Insider channels. These builds almost always shift the kernel layout, which forces us to hunt for new offsets. If you stay on your current build, the work is done once and for all.



    Shaking off the PDB Dependency

    For those following the technical side of this project, I have some interesting news. I managed to develop an algorithm that locates key Windows kernel offsets completely offline, without relying on Microsoft’s symbol servers. This is quite rare in public Proof-of-Concepts. Many reverse engineering colleagues eventually gave up, discouraged by the "bastion" of hidden private symbols and the strict separation between the Secure Kernel Code Integrity (SKCI) and standard CI responsibilities.

    Our primary targets are Offset_SeCiCallbacks (the RVA of the global Code Integrity callback structure) and Offset_SafeFunction (the RVA of the ZwFlushInstructionCache export).

    Instead of relying on fragile hardcoded byte patterns, the algorithm performs a semantic analysis of the SeCiCallbacks initialization within the SepInitializeCodeIntegrity function.

    The Logic: LEA + memset + MOV
    The core of the discovery is a specific initialization pattern. First, a
    Code:
    LEA rcx, [RIP + rel32]
    instruction loads the address of SeCiCallbacks + 4. This +4 offset exists because the initialization process usually skips the first field, such as flags or versioning, which is handled separately. This is followed by a zero-init sequence, typically involving
    Code:
    xor edx, edx
    and
    Code:
    mov r8d, [size]
    , before calling memset. Immediately after, the code executes
    Code:
    mov [RIP + rel32], imm32
    (opcode C7 05) to commit the specific flags.

    The "Fast Path" Engine
    To keep the tool lightning-fast, I avoided heavy disassembler libraries like Zydisk. Instead, I implemented a manual decoder for specific x64 instructions:

    • Kernel Section Scanning: We scan for the C7 05 opcode (MOV with a 32-bit immediate).
    • RIP-Relative Verification: We calculate the target RVA. If it points to a writable, non-executable section like .data, we analyze the surrounding 32-byte window.
    • LEA Validation: We look for an 8D 05 (LEA) instruction pointing exactly 4 bytes below our target. If we find the memset register setup (EDX=0 and R8D within a reasonable range of 0x40 to 0x400) in the vicinity, we have a high-confidence match.

    I first prototyped this in Python and then moved to a native C implementation (VS 2026) to test against various Windows 10 and 11 builds. The result? It hits the mark every time without a single PDB hit. I am currently integrating this directly into native modules like kvc_smss. This code will eventually be part of the KernelResearchKit.

    Fallback and Resilience
    In the event that the "Fast Path" fails on a radical new build, the engine switches to a Structural Scan. This mode analyzes the RUNTIME_FUNCTION table in the .pdata section to identify function boundaries and searches for legacy anchors. While I prefer the mathematical elegance of the Fast Path, this "dirty" method serves as a reliable backup. It takes roughly 3.2 seconds to complete, but it ensures the bypass remains autonomous even if Microsoft tweaks the compiler logic.

    This approach makes the tool exceptionally resilient to updates as long as the underlying semantics of kernel initialization remain the same. We are moving toward fully autonomous bypass tools where the code is simply the execution of a well-understood logic.

    Current Module Status:
    • Target: ntoskrnl.exe
    • Method: Semantic Heuristics
    • PDB Dependency: None (100% Offline)
    • Integration: kvc_smss / Native Runtime
    • Scheduled for this week
     
  12. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    #93 TheViking99, Apr 8, 2026
    Last edited by a moderator: Apr 8, 2026
    Thank you for your answer. Sounds good right now.
    About your further explanation however, I think as soon as you have the new set ready (without pdb dependency/offline) I will update and use that version from you.
    Will keep an eye out for it.

    BTW, in case some here do Clone hdds instead of 'backups', I have already cloned a hdd with windows 10 and your application is well cloned with it.
    Sometimes some programs needed re-activation or so, and I was crossing finger with this, but it worked too. So again, perfect all around!
     
  13. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    If you only need to load drivers on Windows 10/11, you don’t need to use the entire kvc. Just unzip the DriverLoader.zip archive, adjust the driver name, service, and startup settings, then run the deploy.ps1 script.. and that’s it; it will work after every reboot. To keep things quiet, you should also change:
    Verbose=YES to NO
    P.S - This is a version of the system:native program, which is essentially a kernel disassembler and hits the mark without needing symbol files—it handles those darn hard-to-find SeCiCallbacks offsets. It works on Windows 10 and 11, and you probably won’t need to reload those symbols via “kvc install your_driver”.

    upload_2026-4-8_23-15-42.png
     

    Attached Files:

  14. liliactr

    liliactr MDL Addicted

    Sep 3, 2009
    686
    262
    30
    Thank you for this great update. Lots of people probably need this standalone utility.
     
  15. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    @wesmar

    Seems you are full throttle into it. Great.
    My question, for my case, is: Do you suggest that I remove all kvc... that currently works perfect, and then use the bb.exe?
    I mean if I would not have done all that you described before, I would go for bb.exe. But unless you are telling me that the kvc path will eventually be 'unstable' or so for ME and my case, I think I will leave all as it is.
    As I said before, I do not update any of my Win10 ltsc install ever again. And your kvc as we did a few days back, WORKS PERFECTLY right now.
    So thank YOU again! Perfect.
     
  16. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    I would remove it for this purpose and use bb.exe instead, which works offline without needing to handle changing offsets. It works as intended, and there’s nothing else you need to do. If the API ever undergoes a major overhaul or new security libraries are added, I’ll just figure it out.
     
  17. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Thank you for the info. I will change it then. Just how do I go about it, just use the command kvc/uninstall and then install using bb.exe?

    BTW, just so in case somebody gets spooked, the kvc.exe will come up in a virus scan ...! Just to raise awareness and perhaps one can 'exclude' is in AV settings. Happened to me so that's why is mention it. And since it took a while and did not happen right after install and usage... some might not recognize it and it will be deleted. Could be a hassle later.

    Another btw, the kvc.exe goes only once online in case it needs to download during 'setup', correct? Once its in system32 it won't. Is that right?

    Anyways, now I have to look into the bb.exe procedure... for my driver.
     
  18. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Just run “kvc uninstall smss” and install BB

    Yes, I expected it to be flagged because it’s not a tool that Microsoft tolerates, let alone others. You can exclude it from Defender, and the commands “kvc setup” or “kvc exclusion” do just that. In other cases, due to possible permissions, this can also be done, but the code will grow significantly, and besides, you need to have them (AV software)