I am going through this book, and am trying to understand Dependency Walker. When I select something like KERNEL32.DLL, and it shows 6 imports in the top right pane, then when I click on a sub of kernel, like NTDLL.DLL, why are there so many more imports listed than when selecting kernel32.dll? I would have thought selecting kernel32 would show a summary of all the imports under it.
0
votes
1 Answers
0
votes
(If I understood your question correctly - it is about the windows architecture, not dependency walker.) During various refactoring efforts MS did (specifically MinWin) functionality was moved around quite a bit among Win32 dlls. In order to not break backwards compatibility - ntdll, kernel32, user32 etc still export all the functions they used to, and just route those calls elsewhere.
What you see seems to indicate lots of functionality was offloaded from ntdll elsewhere (I think mostly KernelBase), and less functionality had to be moved from kernel32.