AtomBombing: A Code Injection That Bypasses Current Security Solutions

This doesn&#x27;t seem all that exciting to me. If you have a handle to a target thread that allows you to call QueueUserAPC, it&#x27;s game over already. You can own that thread in so many ways that I don&#x27;t see why a new one is exciting. (Heck, you could just use the debugging APIs.)<p>This seems like of like saying &quot;hey look, root on a Linux system can inject code into Chrome&quot;. No kidding.

1) You need to open a thread handle, and you can only do that on processes running in the same security context the attacking thread. So you can already execute code, and this vector alone does not give you privilege escalation. It does however allow you to execute code in another process.<p>2) It uses NtQueueApcThread for 1), which is a known vector for this type of &quot;attack&quot;, see e.g., [1]. That code uses NtQueueApcThread to call LoadLibrary in the target process<p>3) the &quot;new&quot; thing presented in the article is to get a ROP-chain in the called process by using atom tables<p>I don&#x27;t know. I have been away from windows for about ten years, and a lot may have happened, but this doesn&#x27;t seem like it would allow me to do something that I couldn&#x27;t already do. What is the benefit here, compared to e.g., using NtQueueApcThread and LoadLibrary to load the code?<p>[1] <a href="http:&#x2F;&#x2F;www.codeproject.com&#x2F;Articles&#x2F;11777&#x2F;InjLib-A-Library-that-implements-remote-code-injec" rel="nofollow">http:&#x2F;&#x2F;www.codeproject.com&#x2F;Articles&#x2F;11777&#x2F;InjLib-A-Library-t...</a>

Disclaimer: I&#x27;m clueless.<p>They claim that there&#x27;s basically no way to fix this (it&#x27;s a consequence of the design of some features, Atoms). But as far as I understand they have to call the (undocumented, according to the blog) NtQueueApcThread function.<p>a) What guarantees are given for undocumented API methods in Windows? I know Microsoft tries hard to make everyone happy, to be backwards compatible. But - even for stuff like this?<p>b) For AV solutions: Wouldn&#x27;t this undocumented call be a somewhat decent marker?

Wow. Is this really as bad as it sounds? I&#x27;m no security researcher but this sounds quite bad:<p>&quot;AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities.<p>Since the issue cannot be fixed, there is no notion of a patch for this&quot;<p>I&#x27;m guessing that if this starts to be a popular attack vector, security firms would try to come up with some sort of atom integrity checker or something, but still, this doesn&#x27;t look good.<p>Or am I missing something and maybe it&#x27;s really not that bad? any one has any resources to read up more on atoms (besides the research paper)?

Here&#x27;s the real paper.[1]<p>Windows has a terrible mechanism for inter-thread procedure calls. This is a way to get another thread to call a function determined by the sending thread. (What could possibly go wrong with that?) There are some security safeguards around this, but not enough.<p>This looks like something left over from the Windows 3.1&#x2F;DOS days of no memory protection. Microsoft does not recommend it for threads outside the caller&#x27;s process[2], but it&#x27;s still in the OS. Some Windows expert might try disabling it for inter-process calls and see what breaks. It&#x27;s only supposed to work for &quot;desktop processes&quot; anyway; for servers it could be disabled.<p>(I&#x27;m all in favor of inter-process calls, but the QNX MsgSend&#x2F;MsgReceive&#x2F;MsgReply mechanism is far better than this. Most others are far worse. Either performance or security is poor.)<p>[1] <a href="https:&#x2F;&#x2F;breakingmalware.com&#x2F;injection-techniques&#x2F;atombombing-brand-new-code-injection-for-windows&#x2F;" rel="nofollow">https:&#x2F;&#x2F;breakingmalware.com&#x2F;injection-techniques&#x2F;atombombing...</a> [2] <a href="https:&#x2F;&#x2F;msdn.microsoft.com&#x2F;en-us&#x2F;library&#x2F;windows&#x2F;desktop&#x2F;ms684954(v=vs.85).aspx" rel="nofollow">https:&#x2F;&#x2F;msdn.microsoft.com&#x2F;en-us&#x2F;library&#x2F;windows&#x2F;desktop&#x2F;ms6...</a>

I&#x27;ve read all the text yesterday and still don&#x27;t see an explanation how code is executed. I know Windows atom tables as a feature used in DDE (say for clipboard infrastructure), and it&#x27;s been there like forever, but how is the code from the table executed?