How does AtomBombing execute the shellcode after writing it into the target process?

After the target retrieves the shellcode via `GlobalGetAtomName` into an RW memory region (e.g., unused space after the KERNELBASE data segment), AtomBombing constructs a ROP chain. The ROP chain calls `VirtualAllocEx` to allocate RWX memory, copies the shellcode there, and then executes it. This approach avoids reliance on easily detected RWX memory regions. For comparison, see Testing and Analysis of Bypassing AppLocker Using LUA Scripts for alternative bypass techniques.