I am a InfoSec analyst supporting Anti-Virus to a client. Recently, I came across a HeapSpray attempt detection on the Windows 10 host for the process excel.exe. After the thorough investigation, i found the source which caused the detection was kernel32.dll. The sandbox result for the dll file was suspicious in its behavior.
I would want to know some information about the kernel32.dll file.
1. How does kernel32.dll works when a process is loaded?
2. Does kernel32.dll have privilege to write to Heap?
3. Are "Writing" and "Spraying" to Heap one and the same?