摘自: http://yulinlu.blog.163.com/blog/static/588156982008113111911557/
PerformCallBack4
強制令別的進程調用某個API，如果這個API是LoadLibrary的話，就相當于線程注入了，由coredll.dll提供

PerformCallBack4函數的定義：

[DllImport("coredll.dll")]
public static extern uint PerformCallBack4(ref CallBackInfo CallBackInfo,
IntPtr ni_pVoid1,IntPtr ni_pVoid2,IntPtr ni_pVoid3);

其中函數的參數CallBackInfo結構定義:
public struct CallBackInfo
{
public IntPtr hProc; //遠程的目標進程
public IntPtr pfn; //指向遠程目標進程的函數地址的指針
public IntPtr pvArg0; //函數的需要的第一個參數
}

而PerformCallback4的 ni_pVoid1、ni_pVoid2、ni_pVoid3為傳遞到遠程目標進程執行函數的其它三個參數。

例子：
/*-------------------------------------------------------------------
   FUNCTION: CallCoredllInProc
   PURPOSE:  CallCoredllInProc uses undocumented method
    PerformCallBack4 to call exported methods from coredll.dll in
    the specified process.
   PARAMETERS:
    HANDLE  p_hProcess - handle to the process, where the call should
        be made
    LPCTSTR p_pszMethodName - name of method exported from coredll,
        such as VirtualAlloc, VirtualFree, etc.
    DWORD p_dwParam1, p_dwParam2, p_dwParam3, p_dwParam4 - arguments
    DWORD * p_pdwResult - pointer to the return value
   RETURNS:
    TRUE on success, FALSE on failure
-------------------------------------------------------------------*/
BOOL CallCoredllInProc
(
    HANDLE  p_hProcess,
    LPCTSTR p_pszMethodName,
    DWORD   p_dwParam1, DWORD p_dwParam2,
    DWORD   p_dwParam3, DWORD p_dwParam4,
    DWORD * p_pdwResult)
{
    HINSTANCE l_hCoreDll = NULL;
    BOOL l_bReturn = FALSE;
    __try
    {
        //Use undocumented method PerformCallBack4
        //to call method in NK.EXE.
        CALLBACKINFO CallbackInfo;
        CallbackInfo.m_hDestinationProcessHandle = p_hProcess;
        l_hCoreDll = LoadLibrary(_T("COREDLL"));
        CallbackInfo.m_pFunction =
            (FARPROC)GetProcAddress(l_hCoreDll, p_pszMethodName);
        if(!CallbackInfo.m_pFunction)
        {
            /*HTRACE(TG_Error,
                _T("GetProcAddress(%x, %s) failed. Err %d"),
                l_hCoreDll, p_pszMethodName, GetLastError());
            */
        }
        else
        {
            CallbackInfo.m_pFirstArgument = (LPVOID)p_dwParam1;
            DWORD l_dwResult = PerformCallBack4
                (&CallbackInfo, p_dwParam2, p_dwParam3, p_dwParam4);
            if(p_pdwResult)
            {
                *p_pdwResult = l_dwResult;
            }
            l_bReturn = TRUE;
        }
    }
    __except(1)
    {
        /*
        HTRACE(TG_Error, _T("Exception in CallCoredllInProc(%s)"),
            p_pszMethodName);
        */
        l_bReturn = FALSE;
    }
    if(l_hCoreDll)
    {
        FreeLibrary(l_hCoreDll);
    }
    return l_bReturn;
}//BOOL CallCoredllInProc

CreateAPISet
CE6.0以前是個未公開API，不過6.0以后就公開了
This function creates an API set from the list of functions passed as a parameter.

Syntax

HANDLE CreateAPISet(
  char acName[4],
  USHORT cFunctions,
  const PFNVOID *ppfnMethods,
  const ULONGLONG *pu64Sig
);
Parameters
acName
[in] Name of the API set.

cFunctions
[in] Number of functions for this API set.

ppfnMethods
[in] Array of functions for the API set.

pu64Sig
[in] Array of signatures for the functions.

Return Value
A handle to the API set.

Remarks
Before any process can become a handle server, the process must create and register a handle-based API set with this function and RegisterAPISet.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later
CE6.0以前在coredll.dll里面有這個函數

RegisterAPISet
CE6.0以前是個未公開API，不過6.0以后就公開了
This function registers an API set.

Syntax
BOOL RegisterAPISet(
  HANDLE hASet,
  DWORD dwSetID
);

Parameters
hASet
[in] Handle to API set created by the CreateAPISet function.

dwSetID
[in] Type of API set. You must perform a bitwise OR operation on this parameter with REGISTER_APISET_TYPE to create a handle-based API set.

Return Value
TRUE indicates success. FALSE indicates failure. Call GetLastError to get extended error information.

Remarks
Before any process can become a handle server, the process must create and register a handle-based API set with CreateAPISet and RegisterAPISet.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later
CE6.0以前在coredll.dll里面有這個函數

QueryAPISetID
根據名字查詢該API的ID，由coredll.dll提供
Syntax
int QueryAPISetID(
  char *pName
);

Parameters
pName
[in] API的名字

Return Value
API的ID

GetAPIAddress
獲取特定API的特定Method的地址，由coredll.dll提供
FARPROC GetAPIAddress(
  int setId,
  int iMethod
);

Parameters
setId
[in] API的ID

iMethod
[in] Method的ID

Return Value
該Method的地址

GetProcessIndexFromID
根據進程的ID計算出進程的序號（這個序號就是進程處于第幾個slot），由coredll.dll提供
Syntax
DWORD GetProcessIndexFromID(
  HANDLE hProc
);

Parameters
hProc
[in] 進程的句柄，這里為什么不是進程的ID而是進程的句柄呢？非常簡單，因為在CE中進程的句柄就是進程的ID！

Return Value
進程的序號