CreateRemoteThread 远程注入代码实现

    int iReturnCode;
    //远程进程线程句柄
    HANDLE hRemoteThread, hRemoteProcess;
    //线程ID
    DWORD dwRemoteProcessId;
    //宽字符模块路径
    WCHAR pszLibFileName[MAX_PATH]={0};
    PWSTR pszLibFileRemote=NULL;
    //模块路径
    char lpDllFullPathName[MAX_PATH];
    dwRemoteProcessId = 3272;

    strcpy(lpDllFullPathName, "D:\\My Documents\\Visual Studio 2005\\Projects\\ActiveKey\\Debug\\ActiveKey.dll");
    //转换为宽字符
    iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);
    //打开远程进程
    hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
        PROCESS_VM_OPERATION | //允许虚拟内存操作
        PROCESS_VM_WRITE, //允许内存写
        FALSE, dwRemoteProcessId );

    //计算路径长度
    int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
    //远程进程空间分配
    pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
    //远程空间写入路径数据
    iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
    //获取远程空间LoadLibraryW函数的地址
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
    //创建远程线程调用LoadLibraryW  函数  加载DLL
    hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote,0, NULL);
    //等待远程线程的退出
    WaitForSingleObject(hRemoteThread, INFINITE);
    //清场处理
    if (pszLibFileRemote != NULL)
    {
        //释放空间
        VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
    }

    //释放远程线程句柄
    if (hRemoteThread != NULL)
    {
        CloseHandle(hRemoteThread );
        MessageBox("退出","退出了",MB_OK);
    }
    //释放进程句柄
    if (hRemoteProcess!= NULL)
    {
        CloseHandle(hRemoteProcess);
    }