Hello all,

I am a InfoSec analyst supporting Anti-Virus to a client. Recently, I came across a HeapSpray attempt detection on the Windows 10 host for the process excel.exe. After the thorough investigation, i found the source which caused the detection was kernel32.dll. The sandbox result for the dll file was suspicious in its behavior.

I would want to know some information about the kernel32.dll file.

1. How does kernel32.dll works when a process is loaded?

2. Does kernel32.dll have privilege to write to Heap?

3. Are "Writing" and "Spraying" to Heap one and the same?

A quick help would be appreciated.

Regards,

Rakshith