问题描述

安全界一直在讨论一种称为原子轰炸"的新代码注入技术(请参阅注入攻击描述和信息安全堆栈交换问题).简单地说，攻击者可以使用原子表来存储可执行代码.

The security world has been abuzz over a new code injection technique called "atom bombing" (see Injection Attack Description and Information Security Stack Exchange Question). Simply stated, an attacker can use atom tables to store executable code.

令人担忧的是，所有版本的 Windows 中都存在全局原子表功能，并且是一个有意的功能，而不是错误.目前尚不清楚如何通过更改 Windows 来减轻威胁.

A concern is that the global atom table feature exists across all versions of Windows, and is a deliberate feature, not a bug. It is not clear how to mitigate the threat through changes to Windows.

Windows 原子表的用途是什么?如果微软只是简单地说就是这样，没有更多的原子表"，会有什么影响?

Just what are Windows atom tables used for? If Microsoft simply said "that's it, no more atom tables", what would be the impact?

推荐答案

TL;DR:我个人认为 Microsoft 不会对全局原子表进行任何更改，因为这只是一个次要的安全问题.

TL;DR: I personally don't think Microsoft is going to make any changes to the global atom table because it is only a minor security issue.

>

原子表可让您将字符串与 16 位数字相关联.你给 Windows 你的字符串，它给你一个数字.然后，您只需知道分配的编号即可再次检索该字符串.

An atom table lets you associate a string with a 16-bit number. You give Windows your string and it gives you back a number. You can then retrieve the string again just by knowing the assigned number.

每个正常进程都有自己的本地原子表，但它通常是空的，不是安全问题.

Every normal process has its own local atom table but it is usually empty and is not a security issue.

同一窗口站.其中 1 个被记录在案，称为全局原子表.MSDN 也很不错，可以告诉我们 RegisterClipboardFormat 和 RegisterClass 在它们当前的实现中也在内部使用它们自己的原子表.SetProp 等其他函数也使用原子，但我们只对漏洞利用所使用的原子表感兴趣，原子通过 GlobalAddAtom 函数添加到该表中.

There are multiple "global" atom tables that are shared by all processes in the same window station. 1 of them is documented and it is called the global atom table. MSDN is also nice enough to tell us that RegisterClipboardFormat and RegisterClass also use their own atom tables internally in their current implementation. Other functions like SetProp also use atoms but we are only interested in the atom table used by the exploit and atoms are added to that table with the GlobalAddAtom function.

这个原子表的主要目的是充当一个简单的存储位置，以便不同的进程可以在一个名为 DDE.当一个进程想要向不同进程中的窗口发送消息时，您发送的消息不能超过 8 个字节(2 个参数，每个 4 个字节)，这不足以传输文件系统路径或 URL.

The main purpose of this atom table is to act as a simple storage location so that different processes can communicate with each other in a protocol called DDE. When a process wants to send a message to a window in a different process you cannot send more than 8 bytes (2 parameters, 4 bytes each) and this is not enough space to transfer a filesystem path or a URL.

要解决此限制，应用程序通过调用 GlobalAddAtom 将字符串/路径/URL 存储在公共全局原子表中.GlobalAddAtom 返回一个应用程序可以发送给其他进程的数字.当另一个进程收到 DDE 消息时，它只是将数字传递给 GlobalGetAtomName 函数以检索字符串.

To work around this limitation the application stores the string/path/URL in the public global atom table by calling GlobalAddAtom. GlobalAddAtom returns a number that the application can send to the other process. When the other process receives the DDE message it just passes the number to the GlobalGetAtomName function to retrieve the string.

这是一个安全问题吗?事实证明，这种过度炒作(恕我直言)利用使用 全局原子表完全完成该表的设计目的；将字符串从一个进程传输到另一个进程.

How is any of this a security issue? It turns out that this overhyped (IMHO) exploit uses the global atom table to do exactly what the table was designed to do; transfer a string from one process to another.

要将代码注入另一个进程，您通常会调用 OpenProcess 来获取所需进程的句柄，VirtalAllocEx 在此进程中分配一些内存，WriteProcessMemory 用你的代码填充这个新分配的内存，最后 CreateRemoteThread 开始执行这段代码.

To inject code into another process you would normally call OpenProcess to get a handle to the desired process, VirtalAllocEx to allocate some memory in this process, WriteProcessMemory to fill this newly allocated memory with your code and finally CreateRemoteThread to start executing this code.

该漏洞基本上以复杂的方式(NtQueueApcThread)调用GlobalGetAtomName，以避免使用WriteProcessMemory.更令人印象深刻的是它如何构建 ROP 链并使用 NtQueueApcThread 执行它，但这与原子表并没有真正的关系，原子表只是一种不寻常/聪明的内存传输方式.

The exploit basically calls GlobalGetAtomName in a complicated way (NtQueueApcThread) to avoid using WriteProcessMemory. It is more impressive how it builds a ROP chain and executes it with NtQueueApcThread but that is not really related to the atom table, the atom table was just a unusual/clever way to transfer memory.

该漏洞利用不允许恶意代码提升或以其他方式获得源进程没有的权限，因为NtQueueApcThread不能用于任何随机进程，您仍然需要适当的权限来访问所需的目标进程.NtQueueApcThread 在漏洞利用出来时可能让一些反病毒公司措手不及，但作为一个独立的代码段，首先必须由某人执行，它本身不会造成太大的破坏，它必须与其他代码结合起来才可怕.

The exploit does not allow evil code to elevate or otherwise get privileges the source process does not already have because NtQueueApcThread cannot be used on any random process, you still need the appropriate privileges to access the desired target process. NtQueueApcThread might have caught some anti-virus companies off guard when the exploit came out but as a standalone piece of code that has to be executed by someone in the first place it cannot do much damage on its own, it has to be combined with other code to be scary.

微软可以删除原子表吗?不，不是真的，其他表太重要了.

Can Microsoft remove the atom tables? No, not really, the other tables are too important.

他们可以删除全局原子表吗?不，不是真的，它是一个文档化的 API，已经有 20 多年的历史了，Microsoft 不喜欢破坏兼容性.

Can they remove the global atom table? No, not really, it is a documented API and has been for more than 20 years and Microsoft does not like to break compatibility.

然而，他们可以稍微中和全局原子表.他们可以通过根据 完整性级别将其划分为多个隔间来降低其全局性a> 调用过程.这不会改变有问题的漏洞利用，因为它首先无法访问具有更高完整性级别的进程.

They could however neuter the global atom table a little. They could make it less global by dividing it into multiple compartments based on the integrity level of the calling process. This would not change the exploit in question since it cannot access processes with a higher integrity level in the first place.

如果我们假设 Microsoft 更改了全局原子表，使其充当每个进程的表，会发生什么?

If we pretend that Microsoft changed the global atom table so that it acts as a per-process table, what would happen?

微软开始在 Windows XP 中放弃 DDE，但在 Vista/7 中更加认真地对待它.在这台 Windows 8.1 机器上，Internet Explorer 仍将 DDE 用于在同一窗口中打开"命令，但这不是 .html 文件的默认谓词.在注册表中搜索 ddeexec 以查找所有使用 DDE 处理其文件关联的应用程序.从好的方面来说，文件关联 DDE 仅在应用程序实例已打开时使用.最坏的情况;在双击新文件之前关闭应用程序.

Microsoft started to move away from DDE in Windows XP but got a lot more serious about it in Vista/7. On this Windows 8.1 machine Internet Explorer still uses DDE for the "Open in same window" command but that is not the default verb for a .html file. Search the registry for ddeexec to find all the applications that use DDE to handle its file associations. On the bright side, file association DDE is only used when a instance of the application is already open. Worst case scenario; close the application before double-clicking a new file.

DDE 也可用于做其他事情，但很难说哪些应用程序和/或功能会损坏以及它们会损坏的程度.

DDE can also be used to do other things but it is hard to say which applications and/or features would break and how broken they become.

全局原子表可用于除 DDE 之外的其他事情，但很难说这样做有多普遍.

The global atom table can be used for things other than DDE but it is hard to say how common it is to do so.

如果全局原子表被限制为仅将其字符串共享给具有相同文件名的进程，那么很多这些问题就会消失，因为它通常仅用于与同一应用程序的其他实例进行通信.

If the global atom table was restricted to only sharing its strings to processes with the same filename then a lot of these issues would go away because it is often used to just communicate with other instances of the same application.