创建远程线程（远程线程注入）的方法

remotecall.cpp

//https://blog.csdn.net/xfgryujk/article/details/50478295

#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>

//https://gist.github.com/lxfly2000/d7a2eba66c4038002b93e0dd94e81317
DWORD QueryFirstPIDOfProcessName(LPCWSTR pn)
{
	PROCESSENTRY32 pe;
	pe.dwSize = sizeof pe;
	HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	for (BOOL notend = Process32First(hProcessSnap, &pe); notend; notend = Process32Next(hProcessSnap, &pe))
	{
		if (lstrcmp(pn, pe.szExeFile) == 0)
			return pe.th32ProcessID;
	}
	return 0;
}

HANDLE OpenProcessByPid(DWORD pid)
{
	return OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
}

void RemoteCallFunction(LPCWSTR pn, int sound)
{
	WCHAR path[MAX_PATH] = L"";
	path[0] = (WCHAR)sound;
	//打开进程，申请内存，写入内存，创建线程
	HANDLE process = OpenProcessByPid(QueryFirstPIDOfProcessName(pn));
	// 申请内存用来存放DLL路径
	LPVOID remoteMemory = VirtualAllocEx(process, NULL, sizeof path, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (remoteMemory == NULL)
	{
		std::cout << "申请内存失败，错误号：" << GetLastError();
		return;
	}
	//写入内存
	// 写入DLL路径
	if (!WriteProcessMemory(process, remoteMemory, path, sizeof path, NULL))
	{
		std::cout << "写入内存失败，错误号：" << GetLastError();
		return;
	}

	//创建线程
	// 创建远线程调用LoadLibrary
	HANDLE remoteThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)MessageBeep, remoteMemory, 0, NULL);//此处修改为Load/FreeLibrary就能加载/卸载DLL了
	if (remoteThread == NULL)
	{
		std::cout << "创建线程失败，错误号：" << GetLastError();
		return;
	}
	// 等待远线程结束
	WaitForSingleObject(remoteThread, INFINITE);
	// 获取线程返回值
	DWORD remoteModule;
	GetExitCodeThread(remoteThread, &remoteModule);
	std::cout << "线程退出，返回值：" << remoteModule;
	// 释放
	CloseHandle(remoteThread);
	VirtualFreeEx(process, remoteMemory, sizeof path, MEM_DECOMMIT);
}

int main()
{
	RemoteCallFunction(L"showtime.exe", MB_ICONINFORMATION);
	return 0;
}