Function Name
CreateProcessInternal
Description
CreateProcessInternal is an undocumented API for process creation. According to Windows Internals, CreateProcess and CreateProcessAsUser actually lead to this API, which is responsible for starting the process creation in user land. Eventually it calls NtCreateUserProcess for the kernel land operations. This API is commonly used for spawning a suspended process to be hollowed/injected.
Library
Kernel32.dll
Associated Attacks
Injection Evasion
Created: 2022-03-27
Last Update: 2022-03-27
Credits: InfoSecDodo - @dodo_sec