• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

AtomBombing: A Code Injection that Bypasses Current Security Solutions

Jan 5, 2006
14,342 (2.32/day)
System Name AlderLake / Laptop
Processor Intel i7 12700K / Intel i3 7100U
Motherboard Gigabyte Z690 Aorus Master / HP 83A3 (U3E1)
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan
Memory 32GB DDR5 Corsair Dominator Platinum RGB 6000MHz CL36 / 8GB DDR4 HyperX CL13
Video Card(s) MSI RTX 2070 Super Gaming X Trio / Intel HD620
Storage Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy
Case Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s) Panasonic SA-PMX94 / Realtek onboard + B&O speaker system
Power Supply Seasonic Focus Plus Gold 750W / Powerbrick
Mouse Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard RAPOO E9270P Black 5GHz wireless / HP backlit
Software Windows 11 / Windows 10
Benchmark Scores Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock

"Our research team has uncovered new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.

AtomBombing affects all Windows version. In particular, we tested this against Windows 10.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.

Code Injection 101
"The issue we revealed presents a way for threat actors to inject code. Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.

For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable’s communication. To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe.

This manipulation technique is known as code injection.

Code Injection: An Important Tool in the Attacker’s Toolbox
"There are quite a few reasons why code injection is useful. An attacker may use code injection, for example, to:

  1. Bypass process level restrictions: Many security products employ a white list of trusted processes. If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed.
  2. Access to context-specific data. Some data is only accessible to certain processes, while inaccessible to others. For example:
    1. Taking screenshots. A process that takes a screenshot of the user's screen, must run within the context of the user's desktop. However, more often than not malware will be loaded into the services desktop, not the user’s, preventing the malware from taking a screenshot of the user's desktop. Using code injection, a malware can inject code into a process that’s already running in the user's desktop, take a picture and send it back to the malware in the services desktop.
    2. Performing Man in the Browser (MitB) attacks. By injecting code into a web browser an attacker can modify the content shown to the user. For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens. However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount. In a MitB attack, the customers are unaware of the money being funneled out of their account until it’s too late.
    3. Accessing encrypted passwords. Google Chrome encrypts the user's stored passwords by using Windows Data Protection API (DPAPI). This API uses data derived from the current user to encrypt/decrypt the data and access the passwords. In this scenario, a malware that is not running in the context of the user will not be able to access the passwords. However, if the malware injects code into a process that's already running in the context of the current user, the plain-text passwords can be easily accessed."

Behind the Scenes of AtomBombing
"The underlying Windows mechanism which AtomBombing exploits is called atom tables. These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications.

What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.

For the technology deep dive, please the researcher’s post here: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/

Code Injections in the Past
"Currently there are just a handful of known code injection techniques. A list of several of these can be found here: http://resources.infosecinstitute.com/code-injection-techniques/

Additionally, last summer our research team found a new code injection technique called PowerLoaderEx. PowerLoaderEx enables an attacker to inject code without needing to actually write code or data to the injected process.

Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products.

Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint infiltration prevention solutions.

"AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities.

Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity.

It’s important though at this point to take a step back. AtomBombing is one more technique in the attacker’s toolbox. Threat actors will continuously take out a tool – used or new - to ensure that they bypass anti-infiltration technologies (such as AV, NGAV, HIPS, etc).

Obviously we need to find a different way to deal with threat actors. Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment.


About Atom Tables:
Last edited:


~Technological Technocrat~
Apr 20, 2007
22,620 (3.97/day)
System Name Codename: Icarus Mk.V
Processor Intel 8600k@Stock -- pending tuning
Motherboard Asus ROG Strixx Z370-F
Cooling CPU: BeQuiet! Dark Rock Pro 4 {1xCorsair ML120 Pro|5xML140 Pro}
Memory 32GB XPG Gammix D10 {2x16GB}
Video Card(s) ASUS Dual Radeon™ RX 6700 XT OC Edition
Storage Samsung 970Evo 512GB SSD (Boot)|WD Blue 1TB SSD|2x 3TB Toshiba DT01ACA300
Display(s) LG GP850-B
Case Corsair 760T (White)
Audio Device(s) Yamaha RX-V573|Speakers: JBL Control One|Auna 300-CN|Wharfedale Diamond SW150
Power Supply Corsair AX760
Mouse Logitech G900/G502
Keyboard Duckyshine Dead LED(s) III
Software Windows 10 Pro
Benchmark Scores (ノಠ益ಠ)ノ彡┻━┻
Im sure Japan would like to establish a quick defense against this
Sep 10, 2016
786 (0.35/day)
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 7 3700x @stock | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling BQ Dark Rock Slim, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Trident 2x8GB 3600MHz 14-15-16-30 | 2x4GB 2000MHz @1866
Video Card(s) Powercolor RX 6800XT Red Dragon | MSI LP GT 1030
Storage SX8200 Pro 1TB, 850EVO 500GB, 2 & 8TB Seagate Barracuda, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | LG BX 55"
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, Sennheiser HD 599 cans | Logitech z163's
Power Supply Corsair HX 750 | Corsair SF 450
Mouse Microsoft Pro Intellimouse| Some logitech one
Keyboard GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
Software Win 10 Edu | Ubuntu 20.04
Benchmark Scores Look in the various benchmark threads
Absolutely lovely, all we need now is for someone to make it into a banking trojan and they could make so much money it isn't funny