Primitives
Finding a vulnerability in a kernel driver is only half the story. A buffer overflow, a use-after-free, a missing bounds check -- these tell you what went wrong, but they do not tell you what an attacker can do with it. The answer depends on the primitive the vulnerability yields: the controlled capability that transforms a memory corruption bug into something an attacker can actually use. A pool overflow in cldflt.sys might corrupt an adjacent pipe attribute entry, giving the attacker a controlled read beyond the allocation boundary. A missing ProbeForWrite in afd.sys might let user-mode code write to an arbitrary kernel address. The vulnerability class describes the flaw; the primitive describes the power it grants.
This section catalogs those building blocks. Primitives split into two families that reflect the two-phase structure of nearly every modern Windows kernel exploit. The first phase achieves arbitrary kernel read/write, converting a constrained corruption into full memory access. The second phase leverages that access for exploitation, targeting the specific kernel data structures that control privilege, identity, and access.
FIG_005 — Primitive Taxonomy
19 primitives split between achieving arbitrary R/W (left) and leveraging it for exploitation (right).
The relationship between these two families is sequential but not always one-to-one. A single pool overflow might yield a relative read through a corrupted pipe attribute, which leaks enough kernel pointers to set up an I/O Ring write, which ultimately overwrites a process token. Each primitive in the chain builds on the previous one. Understanding what each primitive provides, what it requires as input, and where it sits in the exploitation timeline is what separates a crash from a privilege escalation.
Arbitrary Read/Write Primitives
These are the techniques that convert a vulnerability into controlled kernel memory access. Some are direct and immediate, like an IOCTL that simply hands you physical memory read/write with no corruption needed. Others are indirect, requiring multiple steps of pool grooming and corruption chaining before stable R/W emerges. The primitive matrix tracks which of these remain viable across Windows versions and mitigation configurations.
| Primitive | Description |
|---|---|
| Direct IOCTL R/W | Drivers exposing direct memory read/write IOCTLs |
| Pool Overflow | Heap corruption of adjacent allocations |
| MDL Mapping | Abusing MDL lock/map for arbitrary mapping |
| Arb Increment/Decrement | Controlled increment/decrement at arbitrary address |
| Write-What-Where | Controlled address and value write |
| Registry-Based | Passing controlled data via registry values |
| DMA / MMIO | Physical memory access via DMA or MMIO |
| Pipe Attributes | Named pipe EA-based pool read/write |
| Token Manipulation | Overwriting token structures |
| PTE Manipulation | Modifying page table entries |
Exploitation Primitives
Once arbitrary kernel R/W is established, the question becomes: what do you do with it? These techniques answer that question. Pool spray shapes memory layout to make corruption predictable. Named pipe objects and WNF state data serve as both spray material and corruption targets. I/O Ring provides a clean, stable R/W channel on modern Windows. And at the end of the chain, token swapping or ACL manipulation converts memory access into actual privilege escalation. The primitive matrix maps these techniques against Windows versions and mitigations, showing how the exploitation landscape has shifted from GDI bitmap abuse on Windows 7 to data-only I/O Ring chains on Windows 11 24H2.
| Primitive | Description |
|---|---|
| Pool Spray / Feng Shui | Heap grooming for controlled layout |
| Named Pipe Objects | Pipe objects as spray and R/W gadgets |
| I/O Ring | I/O Ring mechanism for kernel R/W |
| WNF State Data | WNF objects as pool spray primitives |
| Palette / Bitmap | Legacy GDI object exploitation |
| KUSER_SHARED_DATA | Fixed-address data structure abuse |
| PreviousMode Manipulation | KTHREAD.PreviousMode overwrite |
| Token Swapping | Process token pointer replacement |
| ACL / SD Manipulation | Security descriptor modification |
| Bit-Manipulation Primitives | kCFG-compliant bitmap function abuse |