π PASSWORD: github.com
Extract downloaded archive with password: github.com
π¦ ARCHIVE CONTENTS
KvcForensic.7z β Windows (212K)
KvcForensic.exe β Main executable β GUI + CLI [632K]
KvcForensic.json β Required per-build LSA offset templates
KvcForensic_Linux.7z β Linux / WSL (2.7M)
KvcForensic β Dynamic binary (~337 KB) β requires libcrypto at runtime
KvcForensic_static β Static binary (~9.4 MB) β no runtime dependencies, drop anywhere
KvcForensic.json β Required per-build LSA offset templates
Built under WSL / Ubuntu 26.04, gcc 13, C++23. Crypto via OpenSSL libcrypto.
Output is byte-for-byte identical to the Windows build (same NT/SHA1 hashes, same DPAPI GUIDs).
π DOWNLOAD LINKS
| File | Size | Description |
|---|---|---|
| KvcForensic.7z | 212K | Windows β GUI + CLI (password: github.com) |
| KvcForensic_Linux.7z | 2.7M | Linux / WSL β dynamic + static binary (password: github.com) |
π QUICK START
Windows
1. Extract KvcForensic.7z (password: github.com)
2. Place KvcForensic.json alongside KvcForensic.exe
3. KvcForensic.exe --analyze-dump --input lsass.dmp --format both
GUI opens when invoked without arguments.
Linux / WSL
# No dependencies β use the static binary
./KvcForensic_static --analyze-dump \
--input lsass.dmp \
--output result.txt \
--templates KvcForensic.json \
--format both --fullObtaining the dump (Windows, PPL active)
kvc.exe dump lsass
kvc bypasses PPL via kernel-level process protection manipulation.
β WHAT'S NEW β 05.2026
[14.05.2026] Linux / WSL build β two binaries, static variant has no runtime dependencies
Standalone Linux CLI built under WSL / Ubuntu 26.04. Two binaries produced by build.sh:
| Binary | Size | Notes |
|---|---|---|
KvcForensic |
~337 KB | Dynamically linked β requires libcrypto at runtime |
KvcForensic_static |
~9.4 MB | Fully static β no runtime dependencies |
Crypto via OpenSSL instead of BCrypt. All credential output matches the Windows build 1:1.
sudo apt install build-essential libssl-dev
sudo apt install zlib1g-dev libzstd-dev libjitterentropy-dev # for static
./build.shCMake also supported: cmake -S . -B build && cmake --build build -j
[13.05.2026] Linux port β KvcForensic runs natively on Linux
Initial Linux port: minidump parser, VAβRVA resolver, module slicing, signature scanner,
JSON template registry and full credential extraction pipeline (MSV, WDigest, Kerberos, DPAPI, TSPKG).
[12.04.2026] Windows 11 26H1 (build 28000+) β full credential extraction
Full coverage extended to Windows 11 26H1. Validated extraction: NT/LM/SHA1, WDigest cleartext,
Kerberos sessions + tickets, DPAPI master keys, CredMan. All templates in KvcForensic.json.
π SUPPORTED BUILDS
| Windows version | Build range | Credential extraction |
|---|---|---|
| Windows 11 26H1 | 28000+ | Full |
| Windows 11 25H2 | 26200β27999 | Full |
| Windows 11 24H2 / Server 2025 | 26100β26199 | Full |
| Windows 11 22H2 / 21H2 | 22000β22621 | Legacy validated |
| Windows 10 22H2β1903 | 18362β19045 | Legacy validated |
| Windows 10 1809β1803 | 17134β17763 | Legacy validated |
| Windows 10 1709β1703 | 15063β16299 | Legacy validated |
| Windows 10 1607 and earlier, 8.x, 7 | below 15063 | Template only / experimental |
π CONTACT
- Website: https://kvc.pl
- GitHub: https://github.com/wesmar/KvcForensic
Release Date: 05.2026
Β© WESMAR 2026