Atom Bombing

Atom Bombing is another form of process injection. As Process Doppelgänging, this technique abuses legitimate Windows functions, in this case Atom Tables. The Atom Tables provide a globally accessible string storage mechanism. Thus, an application can store data into an Atom Table, where other applications can access it. The Atom Bombing technique will store a shellcode into the Atom Tables. Then by forcing the targeted process (with NtQueueApcThread) to call this specific Atom, the injection will occur. Finally, a Return Oriented Programming chain is used to bypass Data Execution Prevention (DEP), to run the shellcode.

Additional Resources

Subscribe to our Newsletter and don't miss important updates