Published on June 29, 2026
Win32k Callback Detouring Abuses Kernel-to-User Dispatch for Remote Code Execution
Severity
Medium
Detail
Security researchers have demonstrated a novel process injection technique known as Win32k Callback Detouring, which abuses the Windows graphical subsystem to achieve highly stealthy remote code execution. The technique exploits the kernel-to-user callback dispatch mechanism managed by win32k[.]sys, allowing attackers to execute arbitrary code within a remote process without relying on commonly monitored process injection methods such as remote thread creation.
Unlike traditional process injection techniques that modify memory structures directly, this method preserves the integrity of the KernelCallbackTable by installing a small detour at the legitimate callback function. This approach enables malicious code to execute within the application’s expected control flow, making it significantly more difficult for Endpoint Detection and Response solutions and memory integrity monitoring tools to detect. The technique was publicly demonstrated by security researcher Adrian Medero (n0qword) through a proof-of-concept, with additional technical analysis published by IntCyberDigest.
How?
The attack exploits the Windows graphical callback mechanism used when the operating system transitions execution from kernel mode to user mode through the KeUserModeCallback function. During this process, Windows references the KernelCallbackTable, which contains function pointers used by the graphical subsystem.
Instead of modifying entries within the KernelCallbackTable, the attacker locates the target callback function in memory and installs a small detour while preserving the original callback table structure. The __fnCOPYDATA callback is commonly selected because it can be triggered externally by sending a standard WM_COPYDATA message using the Windows SendMessage API. When the message is received, Windows follows its normal kernel-to-user callback execution path before seamlessly redirecting execution to the attacker’s payload.
The attack begins with the threat actor identifying the target process and retrieving the address of its KernelCallbackTable. After resolving the callback pointer, executable memory is allocated within the target process to store the malicious payload. The original callback instructions are preserved before a minimal detour is installed, allowing the payload to execute while maintaining the application’s expected execution flow and reducing the likelihood of detection.
Conclusion
Win32k Callback Detouring demonstrates how attackers can abuse legitimate Windows graphical subsystem mechanisms to perform highly stealthy remote code execution while evading traditional process injection detection techniques. The technique preserves the integrity of the KernelCallbackTable and redirects execution through legitimate callback functions, significantly reducing its detection footprint compared to conventional memory injection methods. Although currently presented as a proof-of-concept, the technique highlights the need for organizations to strengthen endpoint monitoring, maintain up-to-date security controls, and implement application control and least privilege policies to reduce the risk of abuse.
Source