Releases: wesmar/KvcForensic
Release list
KvcForensic - Release 05.2026
🔐 PASSWORD: github.com
Extract downloaded archive with password: github.com
📦 ARCHIVE CONTENTS
KvcForensic.7z — Windows (212K)
KvcForensic.exe ⭐ Main executable — GUI + CLI [632K]
KvcForensic.json ⭐ Required per-build LSA offset templates
KvcForensic_Linux.7z — Linux / WSL (2.7M)
KvcForensic ⭐ Dynamic binary (~337 KB) — requires libcrypto at runtime
KvcForensic_static ⭐ Static binary (~9.4 MB) — no runtime dependencies, drop anywhere
KvcForensic.json ⭐ Required per-build LSA offset templates
Built under WSL / Ubuntu 26.04, gcc 13, C++23. Crypto via OpenSSL libcrypto.
Output is byte-for-byte identical to the Windows build (same NT/SHA1 hashes, same DPAPI GUIDs).
🔗 DOWNLOAD LINKS
| File | Size | Description |
|---|---|---|
| KvcForensic.7z | 212K | Windows — GUI + CLI (password: github.com) |
| KvcForensic_Linux.7z | 2.7M | Linux / WSL — dynamic + static binary (password: github.com) |
🚀 QUICK START
Windows
1. Extract KvcForensic.7z (password: github.com)
2. Place KvcForensic.json alongside KvcForensic.exe
3. KvcForensic.exe --analyze-dump --input lsass.dmp --format both
GUI opens when invoked without arguments.
Linux / WSL
# No dependencies — use the static binary
./KvcForensic_static --analyze-dump \
--input lsass.dmp \
--output result.txt \
--templates KvcForensic.json \
--format both --fullObtaining the dump (Windows, PPL active)
kvc.exe dump lsass
kvc bypasses PPL via kernel-level process protection manipulation.
✅ WHAT'S NEW — 05.2026
[14.05.2026] Linux / WSL build — two binaries, static variant has no runtime dependencies
Standalone Linux CLI built under WSL / Ubuntu 26.04. Two binaries produced by build.sh:
| Binary | Size | Notes |
|---|---|---|
KvcForensic |
~337 KB | Dynamically linked — requires libcrypto at runtime |
KvcForensic_static |
~9.4 MB | Fully static — no runtime dependencies |
Crypto via OpenSSL instead of BCrypt. All credential output matches the Windows build 1:1.
sudo apt install build-essential libssl-dev
sudo apt install zlib1g-dev libzstd-dev libjitterentropy-dev # for static
./build.shCMake also supported: cmake -S . -B build && cmake --build build -j
[13.05.2026] Linux port — KvcForensic runs natively on Linux
Initial Linux port: minidump parser, VA→RVA resolver, module slicing, signature scanner,
JSON template registry and full credential extraction pipeline (MSV, WDigest, Kerberos, DPAPI, TSPKG).
[12.04.2026] Windows 11 26H1 (build 28000+) — full credential extraction
Full coverage extended to Windows 11 26H1. Validated extraction: NT/LM/SHA1, WDigest cleartext,
Kerberos sessions + tickets, DPAPI master keys, CredMan. All templates in KvcForensic.json.
📋 SUPPORTED BUILDS
| Windows version | Build range | Credential extraction |
|---|---|---|
| Windows 11 26H1 | 28000+ | Full |
| Windows 11 25H2 | 26200–27999 | Full |
| Windows 11 24H2 / Server 2025 | 26100–26199 | Full |
| Windows 11 22H2 / 21H2 | 22000–22621 | Legacy validated |
| Windows 10 22H2–1903 | 18362–19045 | Legacy validated |
| Windows 10 1809–1803 | 17134–17763 | Legacy validated |
| Windows 10 1709–1703 | 15063–16299 | Legacy validated |
| Windows 10 1607 and earlier, 8.x, 7 | below 15063 | Template only / experimental |
📞 CONTACT
- Website: https://kvc.pl
- GitHub: https://github.com/wesmar/KvcForensic
Release Date: 05.2026
© WESMAR 2026