AtomBombing: Injecting Code Using Windows’ Atoms presented at BSidesTLV 2017

by Tal Liberman,

Summary : We breakdown AtomBombing into three main stages: 1. Write-What-Where – Writing arbitrary data to arbitrary locations in the target process’s address space. 2. Execution – Hijacking a thread of the target process to execute the code written in stage 1. 3. Restoration – Cleaning up and restoring the execution of the thread hijacked in stage 2. While we delve into each stage, we’ll also discuss hurdles that we had to overcome to accomplish the final code injection technique. For example: In stage (1), we call a function that expects three parameters. However, APC only supports function calls to just one parameter. We show how it was possible to bypass this by leveraging the underlying implementation of APC (and not through the documented API). In stage (2), we present how to overcome DEP. This was needed because we couldn’t assume to have RWX memory in the target processes. In stage (3), we show the internals of the APC mechanism from the perspective of the target process. We further demonstrate how to use coincidental functionality of APC’s dispatch function to allow the attacker to clear their footprints from the hijacked thread. While the above steps work only on non CFG-protected processes, we’ll end the talk by demonstrating how to inject code into CFG-protected processes as well. We do this by allowing both indirect calls to CFG invalid functions as well as bypassing CFG’s stack pivot protection. Ultimately we present the complete code injection flow.