Kernel Callback Tables for Process Injection: perform process injection and hijack execution flow

by ddos ·

Kernel Callback Tables for Process Injection

The Kernel Callback Table in the Process Environment Block (PEB) can be hijacked by attackers to redirect a process’s execution flow, enabling them to execute malicious payloads. This method allows adversaries to maintain persistence by replacing legitimate function pointers with malicious ones, typically triggered by Windows messages.

Recognized as a hijacking execution flow and persistence technique by MITRE, this approach has been used by threat groups like FinFisher/FinSpy and Lazarus.

The Process Environment Block (PEB) is a key structure in Windows that every running program relies on. Think of it as the “control center” or “hub” that holds essential information about how the program is running and interacting with the system. The PEB is part of the memory space of the process, and it helps both the operating system and the program manage various internal details.

The PEB stores important data like:

  • Loaded Modules – These are the Dynamic Link Libraries (DLLs) or external libraries that the program needs to function. For example, programs often rely on additional code provided by system libraries like kernel32.dll or user32.dll, and the PEB keeps track of these libraries once they are loaded.

  • Heap Information – This section of the PEB contains information about memory management for the program. The “heap” is a region of memory where the program stores data that it needs while running. The PEB helps manage and monitor how this memory is used, keeping track of allocations and deallocations.

  • Process Start Time – The PEB also stores the time the process was created, which can be useful for understanding how long the program has been running.

  • Thread Information – Every program runs tasks or operations through “threads,” and the PEB contains data about these threads. This helps the operating system manage different tasks that the program is running at the same time.

  • Process Flags and Settings – The PEB holds flags and configuration data that describe how the process behaves. This might include security settings, special flags for debugging, or even whether the process is being run as a subsystem of another process.

  • Memory Layout Information – The PEB also holds data about the memory layout of the process, such as where different parts of the program’s code, data, and resources are located in memory.

Download & Use

Tags: Kernel Callback Tables