In Windows parlance, an atom is a small bit of data that is stored at a location, called Atom Table. In the Atom Table, each atom is represented as a mapping of a 16-bit integer to a string. The Atom Tables, enables processes on a system to share data amongst each other (Global Atom Table) or within the processes of a specific application (Local Atom Table).

A process can add data to the Global Atom Table and another process can read that data via it’s unique identifier. This functionality forms the crux of how Atom Tables can be used to achieve process injection in a target process. This technique is known as, AtomBombing. Refer to this article by Tal Liberman for a deep-dive on how AtomBombing works behind the scene. Here’s the link to his GitHub repository containing the PoC of this technique.

Red Team Notes
- It uses normal features of the OS to achieve code injection.
- With proper OPSEC, it can prove to be a stealthy technique to achieve process  injection.
- Relevant Windows API:
  - GlobalAddAtom
  - GlobalGetAtomName
- Does not need administrator privileges to work but execution is restricted to the processes of same context. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

If you’d like to hear from Tal himself, below is the recording of his presentation, AtomBombing: Injecting Code Using Windows’ Atoms, presented at BSidesSF 2017.