Every once in a while I get to work on something special, something that leaves me with the keys to open new doors.

Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild. The vulnerability was in a driver I was somewhat familiar with [1] ATFMD.SYS. But what caught my eye this time was how the exploit was getting System privileges in a very elegant and clean way. The mechanics of this technique involve patching the kernel structure representing a bitmap (SURFOBJ), turning it into a powerful arbitrary read/write primitive. Alex Ionescu touched on the subject of Win32k shared memory regions in his excellent 2013 talk [2]. But he didn't mention this one, in fact the only previous mention of this technique I could find was by Keen Team in June 2015 [5]. For simplicity, every data structure and offset discussed is known to be valid on Windows 8.1 x64.

The theory:

Let's focus on GdiSharedHandleTable, the user mapped portion of Win32k!gpentHmgr. It's an array of structures, one for every GDI object available to the process. A pointer can be located at PEB.GdiSharedHandleTable: