Primitives
Driver Type → Attack Surface → Vuln Class → Primitive → Case Study
A vulnerability class describes what went wrong; a primitive describes what the attacker gains. This section catalogs the exploitation building blocks — the controlled capabilities that convert a memory corruption bug into reliable privilege escalation. Primitives split into two families: techniques that achieve arbitrary kernel read/write, and techniques that leverage that R/W for exploitation.
FIG_005 — Primitive Taxonomy
19 primitives split between achieving arbitrary R/W (left) and leveraging it for exploitation (right).
Arbitrary Read/Write Primitives
Vulnerability patterns and driver behaviors that yield controlled kernel memory access.
| Primitive | Description |
|---|---|
| Direct IOCTL R/W | Drivers exposing direct memory read/write IOCTLs |
| Pool Overflow | Heap corruption of adjacent allocations |
| MDL Mapping | Abusing MDL lock/map for arbitrary mapping |
| Arb Increment/Decrement | Controlled increment/decrement at arbitrary address |
| Write-What-Where | Controlled address and value write |
| Registry-Based | Passing controlled data via registry values |
| DMA / MMIO | Physical memory access via DMA or MMIO |
| Pipe Attributes | Named pipe EA-based pool read/write |
| Token Manipulation | Overwriting token structures |
| PTE Manipulation | Modifying page table entries |
Exploitation Primitives
Techniques for converting a vulnerability into reliable exploitation.
| Primitive | Description |
|---|---|
| Pool Spray / Feng Shui | Heap grooming for controlled layout |
| Named Pipe Objects | Pipe objects as spray and R/W gadgets |
| I/O Ring | I/O Ring mechanism for kernel R/W |
| WNF State Data | WNF objects as pool spray primitives |
| Palette / Bitmap | Legacy GDI object exploitation |
| KUSER_SHARED_DATA | Fixed-address data structure abuse |
| PreviousMode Manipulation | KTHREAD.PreviousMode overwrite |
| Token Swapping | Process token pointer replacement |
| ACL / SD Manipulation | Security descriptor modification |