title: KernelCallbackTable (T1574.013)
id: df00tech-t1574-013
status: experimental
description: "Adversaries abuse the KernelCallbackTable in the Process Environment Block (PEB) to hijack execution flow and execute shellcode within a target process. The KernelCallbackTable is initialized when user32.dll is loaded into a GUI process, containing function pointers for handling Win32 messages. An adversary uses NtQueryInformationProcess() to locate the PEB, reads the KernelCallbackTable pointer, duplicates the table in new process memory via WriteProcessMemory(), replaces a function pointer (e.g., fnCOPYDATA) with shellcode address, then updates the PEB to point to the modified table. Sending a Windows message (e.g., WM_COPYDATA) to the target triggers the shellcode. Used by Lazarus Group (DPRK) and FinFisher/FinSpy. Execution is masked under a legitimate GUI process."
references:
  - https://attack.mitre.org/techniques/T1574/013/
  - https://df00tech.com/detections/T1574.013
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate accessibility software (screen readers, magnifiers) that interact with other process memory for UI automation"
  - Debug builds of applications that legitimately use WriteProcessMemory for inter-process communication
  - Virtualization and container tools that may access process memory for management purposes
  - Some game anti-cheat systems that inject DLLs into game processes
level: critical