Skip to content

Releases: wesmar/KvcForensic

KvcForensic - Release 05.2026

Choose a tag to compare

@wesmar wesmar released this 14 May 10:50

🔐 PASSWORD: github.com

Extract downloaded archive with password: github.com


📦 ARCHIVE CONTENTS

KvcForensic.7z — Windows (212K)

KvcForensic.exe          ⭐ Main executable — GUI + CLI  [632K]
KvcForensic.json         ⭐ Required per-build LSA offset templates

KvcForensic_Linux.7z — Linux / WSL (2.7M)

KvcForensic              ⭐ Dynamic binary (~337 KB) — requires libcrypto at runtime
KvcForensic_static       ⭐ Static binary (~9.4 MB)  — no runtime dependencies, drop anywhere
KvcForensic.json         ⭐ Required per-build LSA offset templates

Built under WSL / Ubuntu 26.04, gcc 13, C++23. Crypto via OpenSSL libcrypto.
Output is byte-for-byte identical to the Windows build (same NT/SHA1 hashes, same DPAPI GUIDs).


🔗 DOWNLOAD LINKS

File Size Description
KvcForensic.7z 212K Windows — GUI + CLI (password: github.com)
KvcForensic_Linux.7z 2.7M Linux / WSL — dynamic + static binary (password: github.com)

🚀 QUICK START

Windows

1. Extract KvcForensic.7z  (password: github.com)
2. Place KvcForensic.json alongside KvcForensic.exe
3. KvcForensic.exe --analyze-dump --input lsass.dmp --format both

GUI opens when invoked without arguments.

Linux / WSL

# No dependencies — use the static binary
./KvcForensic_static --analyze-dump \
    --input lsass.dmp \
    --output result.txt \
    --templates KvcForensic.json \
    --format both --full

Obtaining the dump (Windows, PPL active)

kvc.exe dump lsass

kvc bypasses PPL via kernel-level process protection manipulation.


✅ WHAT'S NEW — 05.2026

[14.05.2026] Linux / WSL build — two binaries, static variant has no runtime dependencies

Standalone Linux CLI built under WSL / Ubuntu 26.04. Two binaries produced by build.sh:

Binary Size Notes
KvcForensic ~337 KB Dynamically linked — requires libcrypto at runtime
KvcForensic_static ~9.4 MB Fully static — no runtime dependencies

Crypto via OpenSSL instead of BCrypt. All credential output matches the Windows build 1:1.

sudo apt install build-essential libssl-dev
sudo apt install zlib1g-dev libzstd-dev libjitterentropy-dev   # for static
./build.sh

CMake also supported: cmake -S . -B build && cmake --build build -j

[13.05.2026] Linux port — KvcForensic runs natively on Linux

Initial Linux port: minidump parser, VA→RVA resolver, module slicing, signature scanner,
JSON template registry and full credential extraction pipeline (MSV, WDigest, Kerberos, DPAPI, TSPKG).

[12.04.2026] Windows 11 26H1 (build 28000+) — full credential extraction

Full coverage extended to Windows 11 26H1. Validated extraction: NT/LM/SHA1, WDigest cleartext,
Kerberos sessions + tickets, DPAPI master keys, CredMan. All templates in KvcForensic.json.


📋 SUPPORTED BUILDS

Windows version Build range Credential extraction
Windows 11 26H1 28000+ Full
Windows 11 25H2 26200–27999 Full
Windows 11 24H2 / Server 2025 26100–26199 Full
Windows 11 22H2 / 21H2 22000–22621 Legacy validated
Windows 10 22H2–1903 18362–19045 Legacy validated
Windows 10 1809–1803 17134–17763 Legacy validated
Windows 10 1709–1703 15063–16299 Legacy validated
Windows 10 1607 and earlier, 8.x, 7 below 15063 Template only / experimental

📞 CONTACT


Release Date: 05.2026
© WESMAR 2026