Credit goes to a good friend of mine for this (who doesn’t have a website or twitter account, so I can’t link to him :-p). Here is a (partial) list of DLL’s imported by the Windows 7 version of kernel32:
API-MS-Win-Core-RtlSupport-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Memory-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-IO-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-NamedPipe-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-Localization-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-String-L1-1-0.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-Fibers-L1-1-0.dll
API-MS-Win-Core-Util-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
I guess somebody found an OOP book and started applying the “single responsibility principle” to kernel32 :-). What does this mean to you? If you are an end-user, nothing. If you are a RE or a low level programmer, take care because many functions from kernel32.dll are now forwarded into these DLLs instead of being directly implemented.
Update: here is a little more detailed post on the Avert Labs / McAfee blog.
An other M$ trick to reduce (probably, in their opinion) the amount of malware that use kernel32 functions :D
ReplyDelete(my opinion :P)