KPC: Ultimate Windows Privilege Escalation & Memory Forensics Tool

Discussion in 'MDL Projects and Applications' started by wesmar, Sep 2, 2025.

  1. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Hello again! Now I did some test...
    I actually did the latest update on my system (April) and of course the driver did not load.
    So I rerun kvc with the commands again, and the confirmations seem ok, even downloaded that new symbol...
    However, after restart the driver is not loaded.
    So I went ahead an downloaded from github the latest kvc.
    Uninstalled the current one and run with that new, all commands again.
    But the same result. No driver is now loaded.
    Perhaps I forgot something? I'd appreciate your input... thank you.
     

    Attached Files:

  2. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    I'm assuming your entries in “BootExecute” are correct—kvc_smss for kvc and bb for BootBypass
    If so, it occurs to me that there might be an unnecessary entry in the drivers.ini file, such as:
    Code:
    Offset_SeCiCallbacks=15746976
    Offset_Callback=32
    Offset_SafeFunction=6977376
    If that's the case, the patch might be in the wrong place, because depending on the version, that entry was reliable until I figured out how to calculate offsets offline during bootup. If not, please check in Notepad++ and Notepad to see if the drivers.ini file has any strange characters; it would be best if you could send it to me as an attachment.

    I’ll check on my end in a moment to see what happens when I have a redundant old entry
     
  3. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Thank you for getting back. Here are some screen shots
    However, it says kvc.sys already updated in driver store.... I cannot find it.
    Also, I do not use bb... just the kvc as before. And I thought that after an update I just have to run again the kvc for getting the symbols online ... which it did. But still. Now I did all mentioned, uninatalled kvc and reinstalled the latest from github.
     

    Attached Files:

  4. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Replace the file with mine, and we'll see if it works. I suspect the editor might be altering something; it would be better to attach it as a compressed file so I can see right away if it's correct. If it works with my file, edit the file in Notepad++, and I’ll review the conversion in kvc_smss. I definitely did it in BB. I turned on Verbose mode so you could see “Patched - success...”
     

    Attached Files:

  5. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Ok, here is the result, no wonder ...
    BTW, do you know why it did not work when I just ran everything right after that windows update (stack April)? I left all kvc and just rerun those commands as before. It did also download those symbols.. and I thought that was it. But surely not.
     

    Attached Files:

  6. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Remove the signature from the driver! Error 428!!!!
    I'll let you know why in a moment—I just need to step away for a bit. This isn't a problem with KVC and BB, but rather a change in the cross-signature policy :)
     
  7. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Ok sure. Take your time. But that driver has no ms signature, that is why its not loading with that dse. So don't know what should I remove? The entire driver? I also already reinstalled the program with that driver and turned dse off again.
    Perhaps I should uninstall and delete all and start from scratch. Should work then, right? Just what version to download from github?
     
  8. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Yes, that is what I have with that driver too.
    Remember, I have no efi or secure boot. Just plain old BIOS, dell precision laptop.
    But from your post I guess, just removing all and reinstalling kvc as before won't work with that 'new' update? I have now 1809 17763-8644 and maybe something happened there...
     
  9. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Made it WORK AGAIN.
    What I did:
    Uninstalled kvc smss
    also kvc uninstall
    then removed all kvc in \system32
    did not even reboot
    Then used the backup folder I created with the kvc files is used before that worked(!)
    and ran: kvc setup
    then: dse off --safe
    then: kvc install fanio
    and after the restart.... all works again! Perfect.
    My only question to you now, why did this mess happen in the first place. I did as mentioned before, update MS, then disable dse and install the driver again. But nothing worked. Until I did those steps above.
    Hope this info helps you figuring out whats next.
    BTW, I think the mess also started when I used the latest kvc on github. Remember now I used the last version YOU told me to download and still had as backup!!! Since you said you made some changes, perhaps there is something... just mentioning it.
    Thank you again for your great work!
     
  10. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    I have the latest Windows 10 with the April update. I got this driver running without a single issue (it’s almost 20 years old)—even the I8kfanGUI.exe app started working. It’s a shame it works for me, because I was hoping they’d changed something with the EFI trust chain policy update and I’d have a challenge, but now I’m not so sure. Don't worry, there's always a way. Since you're booting from Windows, I'll easily compile a version for you that works with kvc_smss. Just give me the current offsets from the command
    ‘kvc dse off --safe’
    I'll see how they compare to the ones detected in boot mode
    upload_2026-4-27_18-48-57.png

    upload_2026-4-27_18-40-54.png
     
  11. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    It should work with the latest version of KVC, though I’ll admit that on such an early version of Windows 10, the algorithm might be completely different—and probably simpler—and I didn’t include it. I’m speculating a bit because I’d need multiple versions; the old version did this via PDB, and maybe I should prioritize that since it’s the only reliable method, but it also carries a very high risk due to inconsistencies between the updated system and the downloaded symbol files. In that case, an unfavorable patch could cause a BSOD and cause some confusion.
     
  12. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Yes, works for me now too. Here is the 'new' driver ini with those numbers...
    Just still curious as to why this mess before happened. Is there a 'proper' way to update MS with the kvc working? So that after the update it will worl again (after a procedure of couse). But with mine, it did not. Only after removing all and installing anew, it works again. Wow.
     

    Attached Files:

  13. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    You might be very right with that PDB. It worked fine. So for my case at least, as it WAS with PDB is perfect. And again, not planning on updating anyting... this was just a 'test' in case I would...! I used one of my clone hdds so I still have all the good and working hdds clones as my backups ;-)
     
  14. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    In any case, I have to move down to a lower level (RING -1) and move away from PDB because I’m developing highly efficient methods for controlling the Hypervisor in EFI. I’m not officially releasing this yet so Microsoft doesn’t have time to patch it, so it will likely be available in the summer—probably late June or early July—once they’ve implemented the new chain of trust. To read the system at all, I wrote my own driver, an ultra-efficient one for NTFS, inspired by ReactOS’s logic. It’s only 15KB. I could have used the one from Rufus, but it runs in FUSE user space and is slow. Attached are preliminary versions of some of my latest products:

    HvciBypass.efi - this is a bootkit that disables HVCI regardless of the registry state, tested exclusively on Windows 11 26H1 (it will work on other versions 99% of the time as well). But in the development version, in addition to self-signing into the BIOS, it can sign other files and drivers with the root certificate, so people won’t have to switch their machines to developer mode or disable SecureBoot; they don't even have to touch HVCI in any way.

    And if they want to patch HVCI, then despite the status:

    Powershell:
    Code:
    Get-CimInstance -Namespace root\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard | Format-List SecurityServicesConfigured,SecurityServicesRunning,VirtualizationBasedSecurityStatus
    
    SecurityServicesConfigured : {2}
    SecurityServicesRunning : {0}
    VirtualizationBasedSecurityStatus : 2
    All security interface sliders originating from SecHealthUI will indicate full protection. For this purpose, I wrote a library (payload.dll) that removes prompts from memory and worked out the mechanism in HypervisorEnforcedCodeIntegrity ChangedInBootCycle for when and how to manipulate the timestamp so the system thinks it did it itself. In addition, I wrote a 3 KB service in x64 assembly that controls the flag inversion just before shutdown—extremely efficient with a pre-shutdown phase and a dedicated thread (bbs.exe/asm)—because none of the options from the Task Scheduler were fast enough to complete before shutdown.

    I included this for illustrative purposes; I’m not idle—in my spare time, I write various modules for KVC. The goal of KVC itself is to compromise the Windows system at every stage in a positive sense; it’s the equivalent of rooting Android devices.
     

    Attached Files:

    • hvci.zip
      File size:
      141.4 KB
      Views:
      11
  15. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    #136 wesmar, Apr 28, 2026
    Last edited: Apr 28, 2026
    (OP)
    @Viking99 -
    I modified the offset search for Windows 10 and added a more robust semantic fallback (though not the lightning-fast one from IDA). I tested it locally and it took only 20 ms, though I’m still verifying its reliability. Additionally, I wrote a 4 KB service in assembly (bbs.exe) to keep the HVCI slider in the "enabled" position. It disables itself during the pre-shutdown phase so that bb.exe doesn’t have to force a restart via registry manipulation. This is purely for aesthetics and works when RestoreHVCI=YES.

    BTW: BB creates BBS; you only need this one file—the other one will appear in the system32 folder automatically

    The service starts during boot; it’s like BB’s older brother keeping an eye on the visual state. I can arm it with PPL so it remains untouched. You can see the SecHealthUI slider toggle by running:
    Code:
    sc stop HvciShutdownSvc
    windowsdefender://devicesecurity/
    //*Close the “Device Security” window
    sc start HvciShutdownSvc
    //*reopen
    windowsdefender://devicesecurity/
    
    The hooking library and loader from the previous post trigger the full visual effects of HVCI, as if loading a driver on a hardened Win11 system—a clever trick that shows Microsoft’s UI is just a facade.
     

    Attached Files:

  16. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    Wow again! You are indeed hard at work.
    For me, I used one other hdd clone and did the following to update and have that driver still working after:
    I uninstalled all kvc and removed it! Before I enabled any update / reenable vaious files and things..! Without this, Windows will not be able to update anyways!
    Then I did the Update... those you mentioned earlier.
    After all was done, I reintalled KVC / setup and install driver...
    Disabled of couse all possibilities for Windows to even think of updating...!
    And after restart, all works well again. Perfect driver load and having the system updated.

    So for me, this is perfect and working! But I understand that many use Win11 and always 'update'. So You have to keep always ahead of that curve!

    BTW, your comparing before to 'Rooting Android'. Well said!!! I have of couse my bootloader unlocked and the system rooted. AND most importantly installed the AF+ Firewall on it. Also another not so well known system tweaker to disable Updates (of couse!) and other unwelcomed services. What can I say, I love privacy and in this time of age, its a hard thing to get anymore!

    So keep up your great work!!!
     
  17. TheViking99

    TheViking99 MDL Junior Member

    Feb 20, 2026
    58
    17
    0
    @wesmar
    Just an update on my side: I did it again.... used one cloned drive as the test hdd and did the May Update.
    Result this time around: Perfectly working without any need to 'redo' kvc !!!
    So strangely MS changed nothing that needed to be redone with the kvc. The driver loads and the program works!
    All good.