Kernel Pack

Provides a kernel‑level view into registered callbacks from other drivers, including object callbacks and activity hooks for process/thread creation, image loading, and registry operations. It surfaces this visibility through a single callback action that lets you query, remove, or restore specific callback types, giving operators a focused way to inspect and manage kernel activity signals from one place.

Kernel Pack includes an ETW control that allows operators to toggle the Event Tracing for Windows Threat Intelligence (ETW-TI) provider on or off. The functionality is exposed via the etwti kernel command (enable/disable), which dispatches the request to the agent and executes the change in kernel context. This enables direct control over ETW-TI telemetry generation from the console.

Provides kernel‑level controls to protect, elevate, hide, or restore specific process IDs (with a built‑in PatchGuard safety warning around hiding), and it pairs those controls with a DLL/PPL agent builder that packages a standard DLL implant or a PPL‑bypass variant with optional KnownDLL unhooking to harden or shield protected processes.

Kernel-assisted mechanisms designed to support durable agent continuity across reboots and system disruptions, particularly in environments where userland persistence is unreliable or heavily monitored. By operating at a lower system level, these capabilities offer improved resilience and reduced exposure to common detection methods compared to traditional autorun techniques. The functionality is delivered through structured operator workflows, allowing controlled deployment aligned with engagement needs and target stability.

Privilege Elevation & Process Signature Control (PP / PPL) exposes elevation and signature actions through the kernel‑level process controls and provides a dedicated DLL/PPL implant builder for protected‑process scenarios. Operators can select, evate or signature for a target PID via the process command flow, while the PPL workflow packages a “DLL + PPL Bypass Implant” that includes the PPL injection component for protected process access; UAC elevation hooks in the agent wizards complement this by relaunching the agent in an elevated context when needed.

Provides a focused kernel‑level control surface for inspecting and managing callback registrations including object callbacks and the process/thread creation, image load, and registry callback routines, while also offering a direct toggle for the ETW Threat Intelligence provider. These controls let operators query, remove, or restore callbacks and quickly enable or disable event visibility through a single, consistent command flow.

Centralises sensitive post‑execution actions by offering a credential‑dump workflow that targets LSASS memory and by providing two injection paths: DLL injection and Shellcode injection, each configurable by target PID, payload path, and delivery method (APC or remote thread).

Designed to support advanced post-exploitation workflows where credential material is required.

The agent performs a kernel-level operation that targets the LSASS process memory and extracts 3DES keys associated with protected authentication data. This capability is very useful during Red Team engagements and provides a structured method for retrieving credential-related artifacts from secured system components.