Think of kernel callbacks as subscribers to system events—just like how people subscribe to notifications from a YouTube channel. When an event occurs (such as a new video being uploaded), the subscribers (kernel callbacks) are notified and can take action.

Similarly, when system events, such as process start or a registry key change, occur any registered kernel callback routines are notified and they can act accordingly. These callbacks let drivers "hook into" important actions, such as process creation, thread creation, image loading, registry changes, or even when the system shuts down.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

There are different types of kernel callbacks, each designed to monitor specific actions. Process and thread callbacks, like PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine, notify when a program (process) starts or stops and when a thread is created or destroyed. Image loading callbacks, such as PsSetLoadImageNotifyRoutine, trigger when a file like an EXE or DLL is loaded into memory. Registry callbacks, like CmRegisterCallback, detect changes in the Windows registry, which stores important system settings. Object callbacks, such as ObRegisterCallbacks, control access to important system resources, preventing unauthorized processes from interacting with sensitive data. Lastly, shutdown callbacks (ExAllocateCallBack) allow certain programs or drivers to execute code when the system is shutting down.

The flow from registration of a kernel callback to execution involves following steps:

1. A driver or system component registers a callback function to monitor a specific event. This is done by calling a kernel-provided registration function, such as PsSetCreateProcessNotifyRoutine for process creation events. During registration, the address of the callback function is provided, and the system stores this information in a list of registered callbacks for that event type.

2. When the monitored event occurs (e.g., a new process is created), the Windows operating system detects this event as part of its normal operation.

3. The system iterates through the list of registered callbacks for the specific event and invokes each callback function, passing relevant information about the event (such as process ID and image name for a new process).

4. Each registered callback function executes, performing tasks like logging the event, enforcing security policies, or modifying event-related data.

5. After all callbacks have been executed, the system continues processing, allowing the event to proceed as normal unless a callback function intervenes to alter this behavior.

Red team operators can leverage kernel callbacks to bypass security measures in following ways:

• Disabling security callbacks - Security tools register callbacks to monitor system activities. For instance, Endpoint Detection and Response (EDR) systems use process creation callbacks to detect suspicious programs. Red team operators may attempt to unregister or overwrite these callbacks, effectively blinding security tools and allowing their ops to proceed undetected.

• Manual mapping to evade detection - When a module is loaded, image load callbacks are triggered, alerting security tools. To avoid this, red team operators might use a technique called "manual mapping," where they load modules directly into memory without triggering the standard loading process, thereby bypassing image load callbacks.

• Registering malicious callbacks - Red team operators can register their own callbacks to monitor and control system events. For example, a malicious driver might use PsSetCreateProcessNotifyRoutine to register a callback that terminates security processes as soon as they start, effectively neutralizing defenses.

Red Team Notes
- Kernel callbacks are functions in the Windows kernel that notify system components about key events like process creation, image loading, and registry modifications. They help security tools monitor and respond to system activities in real time.
- Red team operators can leverage kernel callbacks to evade detection, disable security tools, and bypass process monitoring. Techniques include unregistering security callbacks, manual mapping to bypass image load detection, and using custom callbacks to terminate security processes.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Further Reading

• Understanding Telemetry: Kernel Callbacks

• Bypassing Image Load Kernel Callbacks

• When the hunter becomes the hunted: Using custom callbacks to disable EDRs