Juan Sacco, founder of Exploit Pack at No Hat conference (Italy)
Juan Sacco from Exploit Pack delivered a focused, hands-on workshop titled “Subverting the Windows Kernel with rootkits and exploits” at No Hat in Italy.
The workshop was strictly technical: practical tools for exploitation, some techniques for finding vulnerable drivers, and methods for working with undocumented Windows kernel internals, all aimed at improving practitioners’ ability to test and defend Windows systems.
The workshop focused on three primary exploit classes:
-
Physical memory primitives
-
WRMSR / RDMSR primitives
- Overflows (Stack and Heap)
The attendants explored a collection of the tools that Juan has developed for Windows Kernel Exploitation, following along with the practical part of the workshop. Laptops with VM and Ghidra installed were ready to follow along!
The workshop was fast-paced and very hands-on, so attendees were advised to expect a few blue screens, learn new techniques, and walk away with new ideas for their next Windows kernel exploit.
Protections and mitigation were also covered during the workshop, how they can affect exploitability, and current bypasses and/or evasions for Windows 11.
Topics included:
- Kernel Patch Protection
- Stack canaries (GS)
- Code signing
- KASLR
- Shadow stack
- SMEP/SMAP
- Hypervisor-based protections
- Other kernel hardening mechanisms
Juan’s session reinforced our commitment to deep, practice-driven research. If you’re interested in the kinds of techniques covered, we have a more in-depth and self-paced training available: Windows Kernel Training