ntoskrnl.exeT1055T1559T1497

NtFindAtom

Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.

Prototype

NTSTATUS NtFindAtom(
  PWSTR     AtomName,
  ULONG     Length,
  PRTL_ATOM Atom
);

Arguments

Name	Type	Dir	Description
AtomName	PWSTR	in	UTF-16 buffer whose bytes the kernel will compare against existing atom entries.
Length	ULONG	in	Size of the buffer in bytes.
Atom	PRTL_ATOM	out	Receives the 16-bit atom ID if found. Optional — pass NULL only to test existence.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x14	win10-1507
Win10 1607	0x14	win10-1607
Win10 1703	0x14	win10-1703
Win10 1709	0x14	win10-1709
Win10 1803	0x14	win10-1803
Win10 1809	0x14	win10-1809
Win10 1903	0x14	win10-1903
Win10 1909	0x14	win10-1909
Win10 2004	0x14	win10-2004
Win10 20H2	0x14	win10-20h2
Win10 21H1	0x14	win10-21h1
Win10 21H2	0x14	win10-21h2
Win10 22H2	0x14	win10-22h2
Win11 21H2	0x14	win11-21h2
Win11 22H2	0x14	win11-22h2
Win11 23H2	0x14	win11-23h2
Win11 24H2	0x14	win11-24h2
Server 2016	0x14	winserver-2016
Server 2019	0x14	winserver-2019
Server 2022	0x14	winserver-2022
Server 2025	0x14	winserver-2025

Kernel module

ntoskrnl.exe → NtFindAtom

Related APIs

GlobalFindAtomAGlobalFindAtomWFindAtomANtAddAtomNtQueryInformationAtom

Syscall stub

4C 8B D1            mov r10, rcx
B8 14 00 00 00      mov eax, 0x14
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

SSN `0x14` is stable from 1507 through 24H2 — atom table interfaces simply don't move. NtFindAtom is the read-only sibling of NtAddAtom: it walks the global atom hash table, byte-comparing the Length-bytes input against each entry, and returns the existing ID without touching the refcount. Unlike NtAddAtom, NtFindAtom returns STATUS_OBJECT_NAME_NOT_FOUND when the name is absent (NtAddAtom would create it). The Win32 wrappers are `GlobalFindAtomA/W`.

Common malware usage

**Atom Bombing rendezvous** — the second implant (or a sibling thread) calls NtFindAtom on a previously-agreed marker string to discover whether stage-1 shellcode is already in the atom table and to learn its ID before queueing the APC that triggers `GlobalGetAtomNameA` in the target. Also used for **inter-implant IPC coordination** where the atom table acts as a covert shared key/value store: implants publish session identifiers, beacon IDs, or callback URL hashes as atom names, and peers `NtFindAtom` them to discover one another without touching disk, registry, or sockets. **Sandbox detection** — query the table for atoms left by sandbox harness (e.g. Triage and Joe Sandbox each register a small set of recognisable atom strings during boot); presence indicates an analysis environment. Cheap, no API import beyond ntdll, and undetectable by file/registry-centric EDRs.

enSilo Atom Bombing PoC (Tal Liberman 2016)Dridex (2017 wave)Hancitor / Chanitor FinFisher

Detection opportunities

Even lower volume than NtAddAtom in alerting telemetry — most products treat the atom table as a black box. Useful hunt: **NtFindAtom called by a process that never calls NtAddAtom**, with a Length suggesting hash lookup of a marker rather than a window-class name (typically 8-64 bytes), correlated with subsequent NtQueueApcThread to a remote process — strong sign of Atom Bombing rendezvous. ETW Microsoft-Windows-Kernel-Audit-API-Calls exposes the syscall. WinDbg `!atom` shows the current global table and is the ground-truth for incident response. Defender's behavioral engine added an Atom Bomb-specific detection (~2018) that fires on the full GlobalAddAtomA + GlobalGetAtomNameA-via-APC chain, but NtFindAtom alone usually doesn't trip it.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtFindAtom (SSN 0x14, all builds)
NtFindAtom PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 14h          ; SSN
    syscall
    ret
NtFindAtom ENDP

cRendezvous marker lookup (Atom Bombing stage-2 helper)

// Stage-2 implant looks up the agreed marker atom to find the stage-1
// shellcode payload uploaded via NtAddAtom by a sibling. Returns the
// atom ID, ready to feed to GlobalGetAtomNameA via an APC in the target.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtFindAtom)(PWSTR, ULONG, PUSHORT);

USHORT FindRendezvousAtom(PCWSTR marker) {
    pNtFindAtom NtFindAtom = (pNtFindAtom)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtFindAtom");
    USHORT id = 0;
    ULONG bytes = (ULONG)(wcslen(marker) * sizeof(WCHAR));
    NTSTATUS s = NtFindAtom((PWSTR)marker, bytes, &id);
    return NT_SUCCESS(s) ? id : 0;
}

rustSandbox marker probe

// Cargo: ntapi = "0.4", widestring = "1"
// Probe the global atom table for known sandbox-harness markers. Presence
// of any of these signals an analysis environment.
use ntapi::ntexapi::NtFindAtom;
use widestring::U16CString;

const MARKERS: &[&str] = &[
    "TriageHostMarker_v3",
    "JoeSandboxAgent_active",
    "AnyRun_Probe",
];

pub unsafe fn looks_like_sandbox() -> bool {
    for &m in MARKERS {
        let w = U16CString::from_str(m).unwrap();
        let mut id: u16 = 0;
        let s = NtFindAtom(w.as_ptr() as _, (w.len() * 2) as u32, &mut id);
        if s >= 0 && id != 0 { return true; }
    }
    false
}

MITRE ATT&CK mappings

Last verified: 2026-05-20