Atom Tables?

[Syrinx]

Atom Tables, first I've heard of them but there seems to be way to abuse them:
http://blog.ensilo.com/atombombing-a-co ... -solutions

AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities.

Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity.

Can Sandboxie do anything to stop this or perhaps it already does?

[Syrinx]

Wanted to update the thread but it timed out so here I go:

Found a little more detailed info on it and while it's still a bit over my head it seems that something would need to run [the run restrictions available in sandboxie would help to mitigate it here] and use an ROP chain[which might be blocked by sandboxie's current memory write protection schemes but I can't say for sure]. So until someone uses it in the wild or releases an easy to test PoC then I guess it's a more than likely Sandboxie would stop it. An Anti-Exploit that deals with the ROP stage would also hopefully detect and prevent it.

[RonC]

If an infected executable were to be accidentally run during a sandboxed session, would the modified atom tables be returned to their prior status -- when the sandbox is dumped?

If yes, then this would be an adequate precaution, for this kind of attack, to be taken before doing any critical activity, e.g., online banking?

Would be nice if Alan or Curt could 'chime in' here.

[Conadan]

If an infected executable were to be accidentally run during a sandboxed session, would the modified atom tables be returned to their prior status -- when the sandbox is dumped?

I think you are asking the wrong question. Atom tables are only used in this attack to make other processes run malicious code. Even if these tables are restored, other programs that might be outside Sandboxie could have already gotten the malicious code from these table and already done harm to your system.

I myself have no idea if Sandboxie isolates these atom tables, but if it doesn't this could be a very effective way of bypassing Sandboxie. Hope someone from Sandboxies team could give an answer

[Curt@invincea]

The "AtomBombing" technique described by these authors involves adding malicious code to the global atom table, and getting a process to execute this code by some injection technique (such as QueueUserApc). Sbie blocks injection outside the sandbox. So these techniques will not work with a sandboxed process.