{"id":1037,"date":"2025-08-25T21:56:25","date_gmt":"2025-08-25T19:56:25","guid":{"rendered":"https:\/\/hacktarus.fr\/?p=1037"},"modified":"2025-10-24T20:58:09","modified_gmt":"2025-10-24T18:58:09","slug":"windows-kernel-attacks-protections-and-bypass","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=1037","title":{"rendered":"Windows kernel attacks, protections and bypass"},"content":{"rendered":"\n

Microsoft offre nativement tout un tas de technologies autour de la protection du kernel car c\u2019est par lui que passe n\u00e9cessairement bon nombre d\u2019attaques de type ransomware.

En effet afin de briser les d\u00e9fenses les attaquants ont besoin de d\u00e9sactiver (ou de rendre aveugle) les solutions de s\u00e9curit\u00e9 de type antivirus et EDR, et l\u2019unique moyen d\u2019y arriver est de se placer \u00e0 un niveau d\u2019ex\u00e9cution plus \u00e9lev\u00e9, dans l’espace kernel.

Ci-joint un petit support de pr\u00e9sentation que j’ai compil\u00e9 (en anglais), il recense des technologies internes \u00e0 Windows pour lutter contre ces attaques kernel de type BYOVD (Bring Your Own Vunerable Driver), on y retrouve bon nombre d\u2019acronymes comme SMEP, HVCI, KASRL, KCFG, KCET, etc

A noter que certaines de ces fonctionnalit\u00e9s de protection kernel ne sont pas activ\u00e9es par d\u00e9faut…

J\u2019essaierai d\u2019accompagner ces slides d\u2019une vid\u00e9o comment\u00e9e (voir de labs) car ce sujet est complexe et quasi inabordable pour ceux n’ayant jamais touch\u00e9 aux Windows Internals, aux drivers, \u00e0 l\u2019assembleur et aux techniques de bypass comme les ROP.<\/p>\n\n\n\n

Windows kernel attacks, protections and bypass<\/a>T\u00e9l\u00e9charger<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft offre nativement tout un tas de technologies autour de la protection du kernel car c\u2019est par lui que passe n\u00e9cessairement bon nombre d\u2019attaques de type ransomware. En effet afin de briser les d\u00e9fenses les attaquants ont besoin de d\u00e9sactiver (ou de rendre aveugle) les solutions de s\u00e9curit\u00e9 de type antivirus et EDR, et l\u2019unique … Continuer la lecture de Windows kernel attacks, protections and bypass<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1037","post","type-post","status-publish","format-standard","hentry","category-pentest"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/1037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1037"}],"version-history":[{"count":2,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/1037\/revisions"}],"predecessor-version":[{"id":1041,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/1037\/revisions\/1041"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}