EuskalHack 2026 Conference - Subverting the Windows Kernel

Modern Windows systems are protected by an increasingly sophisticated set of security mechanisms designed to make kernel exploitation significantly more difficult than it was just a few years ago. 

At the 2026 EuskalHack Security Congress, Exploit Pack founder and security researcher Juan Sacco presented his latest research in a talk titled "Subverting the Windows Kernel with VBS/HVCI." The presentation focused on modern kernel exploitation and explored how attackers and researchers are adapting to increasingly hardened Windows environments.

Traditional kernel code execution techniques are largely mitigated by modern defences, and that's why the talk examined alternative approaches that leverage trusted execution paths and kernel data structures.

His research builds on recent work involving data-oriented exploitation, SSDT and Shadow SSDT manipulation, and the use of carefully controlled read/write primitives to influence kernel behaviour without violating HVCI-enforced code integrity restrictions.

A major highlight of the presentation was a live demonstration performed on a fully updated Windows 11 system configured with VBS/HVCI and kCET enabled. The demonstration generated a few moments of suspense as the exploit chain was executed in real time in front of the audience. Ultimately, the attack succeeded, resulting in SYSTEM-level privileges and arbitrary code execution on the target machine while all major security mitigations remained enabled.

Modern Windows protections have dramatically increased the complexity and cost of kernel exploitation, but they have not eliminated it. Instead, exploitation research has evolved toward more subtle techniques that focus on data manipulation, trusted kernel mechanisms, and the abuse of legitimate execution flows, getting away from direct code injection or kernel patching.

The talk also highlighted the growing importance of understanding how defensive technologies interact with offensive techniques. Security teams often view mitigations such as VBS and HVCI as endpoint protections, but from a research perspective, they also create new constraints, assumptions, and opportunities that must be carefully analysed. Understanding these interactions is essential for evaluating the true security posture of modern operating systems.

As operating system vendors continue to strengthen platform security, offensive research remains critical for validating defences, identifying design assumptions, and discovering the gaps that inevitably emerge between theoretical protection and practical implementation. The work presented at EuskalHack 2026 serves as another example of how exploitation techniques continue to evolve alongside the defences designed to stop them.

The complete research, technical demonstrations, and related kernel exploitation material are part of Exploit Pack's ongoing offensive security research efforts, which focus on modern exploitation techniques, vulnerability research, exploit development, and advanced Windows internals.