// _remotethreaddemo.cpp : Defines the entry point for the console application.
// Author:秋鎮(zhèn)菜

#include "stdafx.h"
#include "windows.h"

// ========== 定義一個(gè)代碼結(jié)構(gòu),本例為一個(gè)對(duì)話框============
struct MyData
{
char sz[64]; // 對(duì)話框顯示內(nèi)容
DWORD dwMessageBox; // 對(duì)話框的地址
};

// ========== 遠(yuǎn)程線程的函數(shù) ==============================
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
MMessageBox MsgBox = (MMessageBox)pData->dwMessageBox;
MsgBox(NULL, pData->sz, NULL, MB_OK);
return 0;
}
int main(int argc, char* argv[])
{
// ===== 獲得需要?jiǎng)?chuàng)建REMOTETHREAD的進(jìn)程句柄 ===============================
HWND hWnd = FindWindow("notepad", NULL); // 以NOTEPAD為例
DWORD dwProcessId;
::GetWindowThreadProcessId(hWnd, &dwProcessId);
HANDLE hProcess = OpenProcess(
         PROCESS_ALL_ACCESS,
         FALSE,
         dwProcessId);

// ========= 代碼結(jié)構(gòu) ================================================
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcat(data.sz, "對(duì)話框的內(nèi)容.");
HINSTANCE hUser = LoadLibrary("user32.dll");
if (! hUser)
{
   printf("Can not load library.\n");
   return 0;
}
data.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
FreeLibrary(hUser);
if (! data.dwMessageBox)
   return 0;

// ======= 分配空間 ===================================================
void *pRemoteThread
   = VirtualAllocEx(hProcess, 0,
       1024*4, MEM_COMMIT|MEM_RESERVE,
       PAGE_EXECUTE_READWRITE);
if (! pRemoteThread)
   return 0;
if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, 1024*4, 0))
   return 0;

MyData *pData
   = (MyData*)VirtualAllocEx(hProcess, 0,
       sizeof (MyData), MEM_COMMIT,
       PAGE_READWRITE);
if (!pData)
   return 0;

if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
   return 0;

// =========== 創(chuàng)建遠(yuǎn)程線程 ===========================================
HANDLE hThread
   = CreateRemoteThread(hProcess, 0,
        0, (LPTHREAD_START_ROUTINE)pRemoteThread,
        pData, 0, 0);
if (! hThread)
{
   printf("遠(yuǎn)程線程創(chuàng)建失敗");
   return 0;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!\n");
return 0;
}