1 HANDLE handleProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE
2 , FALSE
3 , dwProcessId);
4
5 //param
6 char szBuff[10]={0};
7 *(DWORD*)szBuff = 1000;
8 void* pDataRemote = VirtualAllocEx(handleProcess,0,sizeof(szBuff),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
9 WriteProcessMemory(handleProcess,pDataRemote,szBuff,sizeof(szBuff),NULL);
10
11 //fun
12 DWORD cbCodeSize = (LPBYTE)InjectFunEnd - (LPBYTE)InjectFun;
13 PDWORD pCodeRemote = (PDWORD)VirtualAllocEx(handleProcess,0,cbCodeSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
14 WriteProcessMemory(handleProcess,pCodeRemote,&InjectFun,cbCodeSize,NULL);
15
16 HANDLE hThread = CreateRemoteThread(handleProcess,NULL,0,(LPTHREAD_START_ROUTINE)pCodeRemote,pDataRemote,0,NULL);
17
18 DWORD dwExtCode;
19 if (hThread)
20 {
21 WaitForSingleObject(hThread,INFINITE);
22 GetExitCodeThread(hThread,&dwExtCode);
23
24 printf("return %d",dwExtCode);
25 //TRACE("return %d",dwExtCode);
26 CloseHandle(hThread);
27 }
28
29 VirtualFreeEx(handleProcess,pCodeRemote,cbCodeSize,MEM_RELEASE);
30 VirtualFreeEx(handleProcess,pDataRemote,sizeof(szBuff),MEM_RELEASE);
31
32 CloseHandle(handleProcess);
