AtomBombing: Injecting Code Using Windows’ Atoms

Presented at BSidesSF 2017, Feb. 13, 2017, 2:50 p.m. (30 minutes).

In this talk we present a code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). At the time of its release (October 2016), AtomBombing went undetected by common security solutions that focused on preventing infiltration. AtomBombing affects all Windows versions. In particular, we tested it against Windows 10 and Windows 7.  Unfortunately, this issue cannot be patched by Microsoft since it doesn't rely on broken or flawed code - rather on how these operating system mechanisms are designed.

Presenters:

  • Udi Yavo - CTO - enSilo
    Udi Yavo has more than 15 years of experience in security with a proven track record in leading cutting edge cyber-security R&D projects. Prior to enSilo, Udi spearheaded the direction of the cyber-security unit at the National Electronic Warfare Research & Simulation Center of Rafael Advanced Defense System and served as its CTO. Additionally, he developed and led Rafael's cyber training programs. Udi's achievements at Rafael have been recognized, winning him excellence and innovation awards on complex security projects. Prior to Rafael, Udi served as a system architect at the IDF. He holds a BA in Computer Science from the Open University.
  • Tal Liberman - Security Research Team Leader - enSilo
    Tal has a strong interest in cyber-security, mainly focusing around OS-internals, reverse-engineering and low-level research. As a cyber security research team lead at enSilo, Tal's team is responsible for reverse engineering OS internals, exploits, and malware and integrating their findings into enSilo's core platform. In particular, Tal is keen on "documenting the undocumented" in the Windows OS including CFG and other mitigation technologies, and code injection techniques such as AtomBombing. Tal holds a BSc. in Computer Sciences from University of Haifa, Israel.

Links:

Similar Presentations: