远 程线程注入的程序  能够编译成功 但是运行不起来   

#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>

DWORD GetProcessIdByName(LPSTR processname,LPDWORD lpPid){
    HANDLE ps;
     PROCESSENTRY32 pe;
     pe.dwSize = sizeof(pe);
     ps = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
     if(ps == INVALID_HANDLE_VALUE){
          printf("error\n");
          exit(-1);
     }
     BOOL bProcess = Process32First(ps,&pe);
     while(bProcess){
          //char buff[MAX_PATH];
          //ZeroMemory(buff,MAX_PATH);
          if(lstrcmp(pe.szExeFile,processname) == 0){
               *lpPid = pe.th32ProcessID;
                return 0;
          }
          bProcess = Process32Next(ps,&pe);
     }
   
}
BOOL enableDebugPriv(){
     HANDLE hToken;
     LUID sedebugnameValue;
     TOKEN_PRIVILEGES tkp;
  
     if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
         return FALSE;
     }

     if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)){
         CloseHandle(hToken);
         return FALSE;
     }

     tkp.PrivilegeCount = 1;
     tkp.Privileges[0].Luid = sedebugnameValue;
     tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

     if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
         CloseHandle(hToken);
         return FALSE;
     }

     return TRUE;
}


DWORD __stdcall threadProc(LPVOID lParam){
    MessageBox(NULL,"test","test",MB_OK);
    return 0;
}


int main(){
    typedef struct _RemoteParam {
        char szMsg[12];     //MessageBox函数显示的字符串
        DWORD dwMessageBox;//MessageBox函数的入口地址
    }RemoteParam, *PRemoteParam;
    DWORD pid;
    HANDLE Rthread;
    LPSTR pname="iexplorer.exe";
    DWORD dwThreadSize = 4096;
    DWORD dwWriteBytes;
    RemoteParam remoteData;
    ZeroMemory(&remoteData, sizeof(RemoteParam));
    enableDebugPriv();
    GetProcessIdByName(pname,&pid);
    //printf("%d\n",pid);
    Rthread = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
    if(Rthread == INVALID_HANDLE_VALUE){
        printf("Open process error\n");
        exit(-1);
    }
    HINSTANCE hUser32 = LoadLibrary("User32.dll");
    remoteData.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
    strcat(remoteData.szMsg,"test\0");

    //在宿主进程中分配存储空间
    RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(Rthread,0,sizeof(RemoteParam),MEM_COMMIT,PAGE_READWRITE);

    if (!pRemoteParam) {
        MessageBox(NULL, "Alloc memory failed !","Notice", MB_ICONINFORMATION | MB_OK);
             return 0;
    }

    //将字符串和MessageBox函数的入口地址写入宿主进程
    if (!WriteProcessMemory(Rthread,pRemoteParam,&remoteData,sizeof(remoteData),0)){
             MessageBox(NULL, "Write data to target process failed !","Notice",MB_ICONINFORMATION | MB_OK);
            return 0;
    }
   
    HANDLE hRemoteThread = CreateRemoteThread(Rthread,NULL,0,(DWORD (__stdcall *)(void *))pRemoteParam,NULL,0,&dwWriteBytes);
         if (!hRemoteThread){
             MessageBox(NULL, "Create remote thread failed !", "Notice", MB_ICONSTOP);
             return -1;
         }
    return 0;
}

这是俺第一次发帖   没人给点指点么