Windows 10

Microsoft has worked on adding security protections against two forms of code injection techniques known as process hollowing and atom bombing.

These new protections will debut with the Windows 10 Fall Creators Update, set to be released somewhere in October or November 2017.

These improved anti-exploitation techniques will be part of the Windows Defender Advanced Threat Protection (Windows Defender ATP), meaning they won't be available for regular users unless they buy the commercial version of Windows Defender.

Both protections are gravely needed as process hollowing has been a problem on Windows for years, while the newer atom bombing technique has seen limited usage only in the Dridex banking trojan, mainly because the technique was first detailed only nine months ago, in October 2016.

Microsoft addresses process hollowing

The biggest issue addressed is process hollowing, used by Kovter and various other malware families.

In a very simplified explanation, process hollowing happens when malware starts a legitimate process (such as explorer.exe, regsvr32.exe, svchost.exe, etc.), suspends the process, empties the memory space allocated for the legitimate process, and copies malicious code inside. When the legitimate process is resumed, the legitimate app executes the malicious code found inside its allocated memroy space, bypassing security protections.

This technique has been used by malware families in fileless attacks, where the malware leaves minimal footprints on disk and stores and executes code only from the computer's memory.

Atom bombing gets nine months after disclosure

The second code injection technique that Microsoft boasts to block is atom bombing, an attack method first detailed by enSilo last year.

The technique relies on malware storing malicious code inside atom tables, which are shared memory tables where all apps store information on strings, objects, and other types of data that they need to access on a regular basis.

enSilo discovered that malware could save malicious code inside these shared tables and use lesser known Windows APIs to execute it.

Researchers say that atom tables can be used to trick AV or OS-whitelisted apps into executing malicious operations, bypassing security products.

It's great to see Microsoft finally addressing code injection issues, but let's hope the company eventually adds these improvements to the free version of Windows Defender.

Related Articles:

Windows Defender Bug Needs a Restart, Not Shutdown, To Enable Sandbox

Erratic Windows 10 Bug Breaks Changing of Default File Associations

Microsoft Bug is Deactivating Windows 10 Pro Licenses and Downgrading to Home

Microsoft Releases Info on Protecting BitLocker From DMA Attacks

Microsoft Acknowledges Zip File Overwrite Bug - Fix Coming in November