216.73.217.8

T1574.013: KernelCallbackTable

View on MITRE ATT&CK The MITRE Corporation · Published 25/02/2022 16:27 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID
T1574.013
Confidence
100/100
Revoked
No
Published
25/02/2022 16:27
Modified
27/03/2026 01:11
Author / Source
The MITRE Corporation

Platforms

windows

Description

Adversaries may abuse the `KernelCallbackTable` of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The `KernelCallbackTable` can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once `user32.dll` is loaded.(Citation: Windows Process Injection KernelCallbackTable) An adversary may hijack the execution flow of a process using the `KernelCallbackTable` by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process. A pointer to the memory address of the `KernelCallbackTable` can be obtained by locating the PEB (ex: via a call to the `NtQueryInformationProcess()` [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the `KernelCallbackTable` can be duplicated, and a function in the table (e.g., `fnCOPYDATA`) set to the address of a malicious payload (ex: via `WriteProcessMemory()`). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022) The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the `KernelCallbackTable` may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the `KernelCallbackTable` to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion
mitre-attack persistence
mitre-attack privilege-escalation

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references