CreateRemoteThread简单应用[1]

#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include "stdio.h"
//线程参数结构体定义
typedef struct _remoteparam {
    char szmsg[12];    //messagebox函数中显示的字符提示
    dword dwmessagebox;//messagebox函数的入口地址
} remoteparam, * premoteparam;
//定义messagebox类型的函数指针
typedef int (__stdcall * pfn_messagebox)(hwnd, lpctstr, lpctstr, dword);

//线程函数定义
dword __stdcall threadproc(lpvoid lparam)
{
 //只要使用api必须拦截 !!!!!!!!
    remoteparam* prp = (remoteparam*)lparam;
    pfn_messagebox pfnmessagebox;
    pfnmessagebox = (pfn_messagebox)prp->dwmessagebox;
 //就是这句有错！！！！！！！！！
 pfnmessagebox(null, prp->szmsg, prp->szmsg, 0);
    return 0;
}
//提升进程访问权限
bool enabledebugpriv()
{
    handle htoken;
    luid sedebugnamevalue;
    token_privileges tkp;
 
    if (!openprocesstoken(getcurrentprocess(),
        token_adjust_privileges | token_query, &htoken)) {
        return false;
    }
    if (!lookupprivilegevalue(null, se_debug_name, &sedebugnamevalue)) {
        closehandle(htoken);
        return false;
    }
    tkp.privilegecount = 1;
    tkp.privileges[0].luid = sedebugnamevalue;
    tkp.privileges[0].attributes = se_privilege_enabled;
    if (!adjusttokenprivileges(htoken, false, &tkp, sizeof(tkp), null, null)) {
        closehandle(htoken);
        return false;
    }
    return true;
}

//根据进程名称得到进程id,如果有多个运行实例的话，返回第一个枚举到的进程的id
dword processnametoid(lpctstr lpszprocessname)
{
    handle hsnapshot = createtoolhelp32snapshot(th32cs_snapprocess, 0);
    processentry32 pe;
    pe.dwsize = sizeof(processentry32);
    if (!process32first(hsnapshot, &pe)) {
        messagebox(null,
            "the frist entry of the process list has not been copyied to the buffer",
           "notice", mb_iconinformation | mb_ok);
        return 0;
    }
    while (process32next(hsnapshot, &pe)) {
        if (!strcmp(lpszprocessname, pe.szexefile)) {
            return pe.th32processid;
        }
    }
 
    return 0;
}
int main(int argc, char* argv[])
{
    //定义线程体的大小
    const dword dwthreadsize = 4096;
    dword dwwritebytes;
    //提升进程访问权限
    enabledebugpriv();
    //等待输入进程名称，注意大小写匹配
 char szexename[max_path] = { 0 };
//    cout<< "please input the name of target process !" <<endl;
//   
//    cin >> szexename;
// cout<<szexename<<endl;
 //strcpy(szexename,"notepad.exe");
 scanf("%s",szexename);
 
    dword dwprocessid = processnametoid(szexename);
    if (dwprocessid == 0) {
        messagebox(null, "the target process have not been found !",
            "notice", mb_iconinformation | mb_ok);
        return -1;
    }
    //根据进程id得到进程句柄
    handle htargetprocess = openprocess(process_all_access, false, dwprocessid);
 
    if (!htargetprocess) {
        messagebox(null, "open target process failed !",
            "notice", mb_iconinformation | mb_ok);
        return 0;
    }
 
    //在宿主进程中为线程体开辟一块存储区域
    //在这里需要注意mem_commit | mem_reserve内存非配类型以及page_execute_readwrite内存保护类型
    //