ntoskrnl.exeT1055T1559T1106

NtAddAtom

Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.

Prototype

NTSTATUS NtAddAtom(
  PWSTR     AtomName,
  ULONG     Length,
  PRTL_ATOM Atom
);

Arguments

Name	Type	Dir	Description
AtomName	PWSTR	in	UTF-16 string to register. No NUL required — Length is in bytes and the kernel stores the raw run.
Length	ULONG	in	Size of the buffer in bytes. Allows arbitrary binary content (Atom Bomb shellcode upload primitive).
Atom	PRTL_ATOM	out	Receives the 16-bit atom ID (RTL_ATOM is a USHORT). Range 0xC000-0xFFFF for user atoms.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x47	win10-1507
Win10 1607	0x47	win10-1607
Win10 1703	0x47	win10-1703
Win10 1709	0x47	win10-1709
Win10 1803	0x47	win10-1803
Win10 1809	0x47	win10-1809
Win10 1903	0x47	win10-1903
Win10 1909	0x47	win10-1909
Win10 2004	0x47	win10-2004
Win10 20H2	0x47	win10-20h2
Win10 21H1	0x47	win10-21h1
Win10 21H2	0x47	win10-21h2
Win10 22H2	0x47	win10-22h2
Win11 21H2	0x47	win11-21h2
Win11 22H2	0x47	win11-22h2
Win11 23H2	0x47	win11-23h2
Win11 24H2	0x47	win11-24h2
Server 2016	0x47	winserver-2016
Server 2019	0x47	winserver-2019
Server 2022	0x47	winserver-2022
Server 2025	0x47	winserver-2025

Kernel module

ntoskrnl.exe → NtAddAtom

Related APIs

GlobalAddAtomAGlobalAddAtomWAddAtomANtFindAtomNtQueryInformationAtomNtDeleteAtom

Syscall stub

4C 8B D1            mov r10, rcx
B8 47 00 00 00      mov eax, 0x47
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

SSN `0x47` has been completely stable from 1507 through 24H2 — atoms are an old subsystem nobody re-numbers. The kernel maintains a **global atom table** that is process-agnostic: any process can `NtAddAtom` a name and any other process can `NtFindAtom` to retrieve the same ID and then `NtQueryInformationAtom` to retrieve the stored name back. The Win32 wrappers `GlobalAddAtom*` / `GlobalFindAtom* / GlobalGetAtomName*` route through these syscalls. Critically, `Length` is in **bytes** and the kernel does not enforce that the buffer be a valid NUL-terminated Unicode string — it stores whatever bytes you give it, which is the foundation of Atom Bombing.

Common malware usage

**Atom Bombing** (enSilo, Tal Liberman, October 2016) — the canonical code-injection technique built on this syscall. Stage 1: write shellcode into the global atom table by calling `GlobalAddAtomA` (which lands in NtAddAtom) with the shellcode bytes as the 'name'. Stage 2: queue an APC into a target process that calls `GlobalGetAtomNameA` (NtQueryInformationAtom under the hood); the kernel writes the atom 'name' — i.e. the attacker's shellcode — into a buffer in the target's address space. Stage 3: a follow-up APC, or a ROP gadget, transitions that buffer to RWX (via NtSetContextThread + return-oriented `ZwProtectVirtualMemory` calls). Because the **write into the target process is performed by the kernel itself**, hooked user-mode functions in the target (NtWriteVirtualMemory, WriteProcessMemory) never see the data — defeating EDRs that rely on user-mode injection hooks. Picked up by Dridex (2017 wave, FireEye writeup), and embedded as a baseline technique in several private RATs since.

enSilo Atom Bombing PoC (Tal Liberman 2016)Dridex (2017 wave)Hancitor / Chanitor Cobalt Strike (third-party Atom Bomb module)FinFisher

Detection opportunities

Telemetry on NtAddAtom from user-mode is sparse — atoms are 1990s technology and most products did not historically instrument them. Modern EDRs (CrowdStrike, SentinelOne, Defender) added behavioral rules circa 2017-2018 that look for: (1) `GlobalAddAtomA/W` calls with `Length` > ~250 bytes (real atoms are short window-class names or DDE strings); (2) atom name bytes that fail to round-trip as valid UTF-16 (binary content); (3) `GlobalGetAtomNameA` called from a thread that just woke up via NtTestAlert / KiUserApcDispatcher inside a freshly-allocated context — the Atom Bomb APC pattern. ETW Microsoft-Windows-Kernel-Audit-API-Calls covers these syscalls. WinDbg / live forensics: `!atom` extension dumps the global table — long entries with non-printable bytes are a strong IOC.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtAddAtom (SSN 0x47, all builds)
NtAddAtom PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 47h          ; SSN
    syscall
    ret
NtAddAtom ENDP

cAtom Bombing — stage 1 shellcode upload

// Atom Bomb stage 1: smuggle shellcode bytes into the global atom table.
// The Length is in bytes and the kernel does not require a NUL terminator,
// so arbitrary binary content rides in as the atom 'name'.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtAddAtom)(PWSTR, ULONG, PUSHORT);

USHORT AtomBombUpload(const BYTE* shellcode, ULONG cb) {
    pNtAddAtom NtAddAtom = (pNtAddAtom)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtAddAtom");
    USHORT atomId = 0;
    // PWSTR is just a cast — the kernel reads `cb` raw bytes regardless
    // of UTF-16 validity. Real Atom Bomb POCs round cb up to even.
    NTSTATUS s = NtAddAtom((PWSTR)shellcode,
                           (cb + 1) & ~1u,  // even byte count
                           &atomId);
    return NT_SUCCESS(s) ? atomId : 0;
}

rustLightweight global atom (legitimate-style)

// Cargo: ntapi = "0.4", widestring = "1"
// Register a normal short string atom — same syscall, benign use.
// Demonstrates the Length-in-bytes convention.
use ntapi::ntexapi::NtAddAtom;
use widestring::U16CString;

pub unsafe fn add_atom(name: &str) -> Option<u16> {
    let w = U16CString::from_str(name).ok()?;
    let mut atom: u16 = 0;
    let bytes = w.len() * 2; // UTF-16 byte count, excluding NUL
    let s = NtAddAtom(w.as_ptr() as _, bytes as u32, &mut atom);
    if s >= 0 { Some(atom) } else { None }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20