Primitive Matrix
Version-aware matrix showing which exploitation primitives work on which Windows builds and which mitigations block them.
Overview
Exploitation techniques have limited lifespans. As Microsoft introduces kernel mitigations, previously reliable primitives become blocked or constrained, forcing attackers to adopt new approaches. This matrix tracks the availability window for each major exploitation primitive across Windows versions, helping researchers understand which techniques apply to a given target build.
Version Compatibility Matrix
| Primitive | Technique | Min Build | Max Build | Blocked By | Replacement |
|---|---|---|---|---|---|
| Pool Spray (Palette/Bitmap) | Spray pool with GDI objects to control allocation layout | pre-RS1 | RS3 (10.0.16299) | Type Isolation prep, pool layout changes | Named Pipe Attributes spray |
| GDI Palette/Bitmap R/W | Abuse GDI object headers for kernel read/write | pre-RS1 | RS4 (10.0.17134) | GDI object type isolation | WNF State Data, Pipe Attributes |
| WNF State Data | Corrupt _WNF_STATE_DATA for relative R/W |
RS5 (10.0.17763) | 21H2 (10.0.22000) | Pool hardening improvements | I/O Ring |
| Named Pipe Attributes | Spray pipe attributes in paged/nonpaged pool | RS5 (10.0.17763) | Current (still works) | Partially mitigated by pool hardening | Still primary for pool spray |
| I/O Ring R/W | Abuse I/O Ring structures for arbitrary kernel R/W | 21H2 (10.0.22000) | Current | No full block yet | Primary kernel R/W on 22H2+ |
| PTE Manipulation | Modify page table entries to remap physical memory | All versions | Current | Requires existing ARW primitive | Still works |
| Token Swapping | Overwrite process token pointer for privilege escalation | All versions | Current | No direct mitigation | Still works (offsets change per build) |
| KUSER_SHARED_DATA | Abuse shared kernel/user page for code exec or data | All versions | Current | SMEP blocks code execution variant | Data-only variant still works |
| Previous Mode Manipulation | Flip thread PreviousMode to bypass access checks | All versions | Current | HVCI makes harder | Still works on non-VBS systems |
| ACL/SD Manipulation | Overwrite security descriptors for privilege escalation | All versions | Current | No direct block | Still works |
Mitigation Impact Summary
| Mitigation | Introduced | Primitives Blocked | Primitives Unaffected |
|---|---|---|---|
| SMEP | Windows 8+ (hardware) | KUSER_SHARED_DATA code exec | Token Swap, PTE, I/O Ring, Named Pipe, ACL |
| SMAP | Windows 10 RS1+ (hardware) | Direct user-page access from kernel | I/O Ring, Token Swap, PTE, ACL |
| kCFG | Windows 10 RS2+ | Indirect call hijacking | Data-only primitives (Token, ACL, PTE) |
| kCET | Windows 11 22H2+ (hardware) | ROP/JOP chains, shadow stack bypass | Data-only primitives |
| HVCI | Windows 10+ (opt-in), 11 default on | RWX kernel pages, Previous Mode (harder) | Token Swap, ACL, data-only attacks |
| Pool Hardening | Windows 10 21H1+ | Pool overflow adjacent corruption (harder) | I/O Ring, PTE, Token (via other primitives) |
| Type Isolation | Windows 10 RS3+ | GDI Palette/Bitmap pool spray | Named Pipe spray, I/O Ring |
| Secure Pool | Windows 11 22H2+ | Pool metadata corruption | I/O Ring, data-only attacks |
Current Recommended Chains (24H2)
Non-VBS Systems
I/O Ring provides the most reliable kernel R/W primitive on modern Windows. Once arbitrary read/write is established, Token Swapping is the simplest privilege escalation path. PTE manipulation offers an alternative for achieving code execution.
- Vulnerability trigger to pool corruption to I/O Ring R/W to Token Swap
VBS/HVCI-Enabled Systems
HVCI blocks unsigned code execution in the kernel, restricting exploitation to data-only techniques. Token overwrite and ACL manipulation remain viable since they do not require executable memory.
- Vulnerability trigger to I/O Ring R/W to data-only attack (Token or ACL manipulation)
Legacy Systems (pre-21H2)
Older builds without pool hardening or Secure Pool allow WNF or Named Pipe corruption paths. These targets are increasingly rare in enterprise but still common in IoT and embedded Windows.
- Vulnerability trigger to WNF State Data or Named Pipe Attributes to Token/PTE manipulation
Cross-References
- I/O Ring -- Primary kernel R/W primitive on 22H2+
- Token Swapping -- Privilege escalation via token pointer overwrite
- Named Pipe Objects -- Pool spray and relative R/W technique
- WNF State Data -- Legacy R/W primitive for RS5 through 21H2
- Palette/Bitmap -- Historic GDI-based kernel R/W
- Pool Spray and Feng Shui -- Pool layout manipulation techniques
- PTE Manipulation -- Page table entry abuse for memory remapping
- KUSER_SHARED_DATA -- Shared kernel/user page exploitation
- Previous Mode Manipulation -- Thread mode abuse for access check bypass
- ACL/SD Manipulation -- Security descriptor overwrite for privilege escalation