Why are some DLLs like Kernel32.dll immune to hijacking while others like CRYPTSP.dll are vulnerable?

DLLs listed under the `KnownDLLs` registry key (e.g., `Kernel32.dll`) are protected because the system ignores the application's directory and loads them from predefined locations, making hijacking impossible. In contrast, if a DLL is not in `KnownDLLs` (like `CRYPTSP.dll`), the system follows the standard search order: with SafeDllSearchMode enabled, the application's directory is checked first. Since `CRYPTSP.dll` is uncommon, placing a malicious copy in the application folder causes it to be loaded instead. The Rattler article demonstrates this with a test program that successfully hijacked `CRYPTSP.dll` but failed for `Kernel32.dll`.