it can be adapted, once injected you can intercept API calls made by the target process, meaning replacing legitimate DLLs with malicious ones that contain hooks, which redirect certain function calls to your lovely rootkit’s, The key is in redirecting the execution flow of the LoadLibraryA function to the injected code, which then loads the malicious DLL and redirects specific function calls to the rootkit routines.
kernel32.dll is not replaced. Instead, we retrieves a handle to kernel32.dll using the GetModuleHandleA function and obtains the address of the LoadLibraryA function using GetProcAddress. This allows us to call LoadLibraryA dynamically at runtime. essentially modifying program execution flow in response to exceptions, rather than replacing kernel32.dll.
If by “replacing” you mean how LoadLibraryA is redirected to load a different DLL, this is achieved by modifying the context record of the exception pointer (EXCEPTION_POINTERS). When a guard page violation exception occurs, the Vectored Exception Handler intercepts it and modifies the context record to redirect execution to the address of LoadLibraryA (dynamically), effectively hijacks the execution flow and allows the code to control the loading of DLLs, Simply we manipulates the process execution flow to make it call LoadLibraryA with a specified DLL name when a guard page violation occurs.