I noticed that the same malware will export CreateProcessInternalW from kernel32.dll in Windows 7 and KernelBase.dll in Windows 10. Why is it exporting the same function from different DLLs?
Asked
Active
Viewed 1,018 times
1 Answers
1
CreateProcessInternalW is not part of the "public" API exposed by Windows. Consequently, Microsoft is free to move it or reimplement it how they see fit. (Including removing it entirely, unlikely though that may be.)
Starting with Windows7, Microsoft started building something that they called "MinWin", which is the minimal set of Windows DLLs & Kernel necessary to create the core of the OS. (Probably intended for containerization or standardizing an embedded core.) This lead to the creation of KernelBase.dll, which contains the MinWin functionality for Kernel exports. Many functions in kernel32.dll are just stubs that call their partner function in KernelBase.dll.
I'm not in front of a Windows 10 box right now, but I would guess that CreateProcessInternalW moved to KernelBase.dll as part of this, and so consequently the malware developer is looking for it there in Windows 10. (Perhaps kernel32.dll no longer exports the symbol.)
David
- 15,814
- 3
- 48
- 73