1. Home
  2. Techniques
  3. Enterprise
  4. Hijack Execution Flow
  5. KernelCallbackTable

Hijack Execution Flow: KernelCallbackTable

ID Name
T1574.001 DLL
T1574.004 Dylib Hijacking
T1574.005 Executable Installer File Permissions Weakness
T1574.006 Dynamic Linker Hijacking
T1574.007 Path Interception by PATH Environment Variable
T1574.008 Path Interception by Search Order Hijacking
T1574.009 Path Interception by Unquoted Path
T1574.010 Services File Permissions Weakness
T1574.011 Services Registry Permissions Weakness
T1574.012 COR_PROFILER
T1574.013 KernelCallbackTable
T1574.014 AppDomainManager

Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.[1][2] The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.[3]

An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.

A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function).[4] Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.[1]

The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.[1] Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

ID: T1574.013
Sub-technique of:  T1574
Platforms: Windows
Version: 1.0
Created: 25 February 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0182 FinFisher

FinFisher has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created Asynchronous Procedure Call stub routine.[2]
G0032 Lazarus Group

Lazarus Group has abused the KernelCallbackTable to hijack process control flow and execute shellcode.[1][5]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).

Detection Strategy

ID Name Analytic ID Analytic Description
DET0577 Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows. AN1593

Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.

References

  1. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  2. Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.
  3. odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.
  1. Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.
  2. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.