Open in app

Sign in

Write

Sign in

Quick look at AtomBombing with WinDbg

Matt Suiche
Comae Technologies
Published in
3 min readNov 2, 2016

Atom Bombing

Recently, a lot of noise has been made about “AtomBombing” (available on github) which was communicated as an “unfixable” method to inject memory into a process, and “undetectable” from anti-virus because they only do disk scans and not memory scans. AtomBombing works by doing the following steps:

  1. Find alertable thread in target process (chrome.exe)
  2. Find a “code cave” in a RW memory block (.data section of chrome.exe!kernelbase.dll)
  3. Build a ROP chain to be injected
  4. Add an Asynchronous Procedure Call (APC) to the alertable thread’s queue.
  5. Hijack the remote thread to execute the shellcode by executing the ROP chain
AtomBombing in effect on a Windows 10 x86.

This indeed sounds very close to existing techniques used for injection. But what’s interesting here, is that memory-based attacks are getting more and more coverage from the media as mentioned in a recent blogpost about bodiless malwares from Kaspersky.

Malwares hiding in memory from the Disk.

Memory Forensics using WinDbg

Let’s grab a memory snapshot of the victim’s machine using DumpIt before opening it in WinDbg to finally analyzing it with SwishDbgExt Windbg extension to try out the new !ms_checkcodecave command.

!ms_checkcodecave
shellcode

How does it work ?

The whole concept of code injection in a process means that this malicious code will be hidden from the disk but will remain present in memory. Hence, we need to find a way to retrieve this piece of malicious code in memory, in the scenario of the POC of Atom Bombing, we need to retrieve the code cave. The algorithm that retrieve the code cave is the following:

It uses the dead space of the .data section of kernelbase.dll, to hide its ROP chain and its “shellcode” — this address space will be null in most of cases which is what !ms_checkcodecave looks for as an anomaly.

SwishDbgExt

SwishDbgExt is a WinDbg extension that I created 2 years ago, which I decided to update this week end to improve support for Windows 10. This is an open-source WinDbg extension which means commits, new features are welcome.

You can fork it on github: https://github.com/msuiche/SwishDbgExt

And don’t forget our WinDbg Feature contest: https://blog.comae.io/comae-2016-contest-swishdbgext-features-3c9a63c62209#.mzl35spb3

Windows 10
Apps
Comae Labs
Windbg
Reverse Engineering

--

--

Matt Suiche
Comae Technologies

Written by Matt Suiche

3.3K Followers
Editor for

Hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams