Skip to content

Palette / Bitmap Objects

Legacy GDI palette and bitmap object exploitation for kernel R/W (pre-RS3).

Description

Before Windows 10 RS3 (1709), GDI objects like bitmaps (SURFOBJ.pvScan0) and palettes were stored in a user-accessible paged pool session. By corrupting the pvScan0 pointer of a bitmap, an attacker could create an arbitrary R/W primitive.

Status

This technique is largely mitigated on modern Windows (RS3+) where GDI objects moved to kernel-only pool. Documented here for historical reference and for targeting older systems.