Kernel Pack

Provides a kernel‑level view into registered callbacks from other drivers, including object callbacks and activity hooks for process/thread creation, image loading, and registry operations. It surfaces this visibility through a single callback action that lets you query, remove, or restore specific callback types, giving operators a focused way to inspect and manage kernel activity signals from one place.

Kernel Pack includes an ETW control that allows operators to toggle the Event Tracing for Windows Threat Intelligence (ETW-TI) provider on or off. The functionality is exposed via the etwti kernel command (enable/disable), which dispatches the request to the agent and executes the change in kernel context. This enables direct control over ETW-TI telemetry generation from the console.

Provides kernel-level controls to protect, elevate, hide, or restore specific process IDs, all achieved through DOG's data-only gadget chaining without a custom kernel driver. These operations leverage existing signed kernel code, eliminating PatchGuard collision risks. The feature pairs with a DLL/PPL agent builder that packages a standard DLL implant or a PPL-bypass variant with optional KnownDLL unhooking to harden or shield protected processes.

Kernel-assisted mechanisms designed to support durable agent continuity across reboots and system disruptions, particularly in environments where userland persistence is unreliable or heavily monitored. By operating at a lower system level, these capabilities offer improved resilience and reduced exposure to common detection methods compared to traditional autorun techniques

Privilege Elevation & Process Signature Control (PP / PPL) exposes elevation and signature actions through the kernel‑level process controls and provides a dedicated DLL/PPL implant builder for protected‑process scenarios. Operators can select, elevate or change PPL for a target PID via the process command flow.

Provides a focused kernel‑level control surface for inspecting and managing callback registrations including object callbacks and the process/thread creation, image load, and registry callback routines, while also offering a direct toggle for the ETW Threat Intelligence provider. These controls let operators query, remove, or restore callbacks and quickly enable or disable event visibility through a single, consistent command flow.

Centralises sensitive post-execution actions by leveraging DOG's data-only gadget chains to perform credential extraction from LSASS memory without relying on a custom kernel driver. It provides two injection paths: DLL injection and Shellcode injection, each configurable by target PID, payload path, and delivery method (APC or remote thread), with injection operations also carried out through DOG's gadget chaining using existing signed kernel code.

Designed to support advanced post-exploitation workflows where credential material is required.

The agent performs a kernel-level operation that targets the LSASS process memory and extracts 3DES keys associated with protected authentication data. This capability is very useful during Red Team engagements and provides a structured method for retrieving credential-related artifacts from secured system components.