Skip to content

KvcForensic - Release 05.2026

Latest

Choose a tag to compare

@wesmar wesmar released this 14 May 10:50

πŸ” PASSWORD: github.com

Extract downloaded archive with password: github.com


πŸ“¦ ARCHIVE CONTENTS

KvcForensic.7z β€” Windows (212K)

KvcForensic.exe          ⭐ Main executable β€” GUI + CLI  [632K]
KvcForensic.json         ⭐ Required per-build LSA offset templates

KvcForensic_Linux.7z β€” Linux / WSL (2.7M)

KvcForensic              ⭐ Dynamic binary (~337 KB) β€” requires libcrypto at runtime
KvcForensic_static       ⭐ Static binary (~9.4 MB)  β€” no runtime dependencies, drop anywhere
KvcForensic.json         ⭐ Required per-build LSA offset templates

Built under WSL / Ubuntu 26.04, gcc 13, C++23. Crypto via OpenSSL libcrypto.
Output is byte-for-byte identical to the Windows build (same NT/SHA1 hashes, same DPAPI GUIDs).


πŸ”— DOWNLOAD LINKS

File Size Description
KvcForensic.7z 212K Windows β€” GUI + CLI (password: github.com)
KvcForensic_Linux.7z 2.7M Linux / WSL β€” dynamic + static binary (password: github.com)

πŸš€ QUICK START

Windows

1. Extract KvcForensic.7z  (password: github.com)
2. Place KvcForensic.json alongside KvcForensic.exe
3. KvcForensic.exe --analyze-dump --input lsass.dmp --format both

GUI opens when invoked without arguments.

Linux / WSL

# No dependencies β€” use the static binary
./KvcForensic_static --analyze-dump \
    --input lsass.dmp \
    --output result.txt \
    --templates KvcForensic.json \
    --format both --full

Obtaining the dump (Windows, PPL active)

kvc.exe dump lsass

kvc bypasses PPL via kernel-level process protection manipulation.


βœ… WHAT'S NEW β€” 05.2026

[14.05.2026] Linux / WSL build β€” two binaries, static variant has no runtime dependencies

Standalone Linux CLI built under WSL / Ubuntu 26.04. Two binaries produced by build.sh:

Binary Size Notes
KvcForensic ~337 KB Dynamically linked β€” requires libcrypto at runtime
KvcForensic_static ~9.4 MB Fully static β€” no runtime dependencies

Crypto via OpenSSL instead of BCrypt. All credential output matches the Windows build 1:1.

sudo apt install build-essential libssl-dev
sudo apt install zlib1g-dev libzstd-dev libjitterentropy-dev   # for static
./build.sh

CMake also supported: cmake -S . -B build && cmake --build build -j

[13.05.2026] Linux port β€” KvcForensic runs natively on Linux

Initial Linux port: minidump parser, VA→RVA resolver, module slicing, signature scanner,
JSON template registry and full credential extraction pipeline (MSV, WDigest, Kerberos, DPAPI, TSPKG).

[12.04.2026] Windows 11 26H1 (build 28000+) β€” full credential extraction

Full coverage extended to Windows 11 26H1. Validated extraction: NT/LM/SHA1, WDigest cleartext,
Kerberos sessions + tickets, DPAPI master keys, CredMan. All templates in KvcForensic.json.


πŸ“‹ SUPPORTED BUILDS

Windows version Build range Credential extraction
Windows 11 26H1 28000+ Full
Windows 11 25H2 26200–27999 Full
Windows 11 24H2 / Server 2025 26100–26199 Full
Windows 11 22H2 / 21H2 22000–22621 Legacy validated
Windows 10 22H2–1903 18362–19045 Legacy validated
Windows 10 1809–1803 17134–17763 Legacy validated
Windows 10 1709–1703 15063–16299 Legacy validated
Windows 10 1607 and earlier, 8.x, 7 below 15063 Template only / experimental

πŸ“ž CONTACT


Release Date: 05.2026
Β© WESMAR 2026