The following function creates a remote thread in the specified process. Please note, that both the start address and the parameters must be valid in the memory context of the destination process, not in ours! In order to get a valid start address in another process you can copy a function from our process' to the other process' memory context by using CopyFunction. In order to get a valid memory block for the parameters inside of the memory context of the other process, you can use AllocMemEx to allocate the buffer and then WriteProcessMemory to initialize/fill it.

function CreateRemoteThreadEx (processHandle : dword;
                               threadAttr    : PSecurityAttributes;
                               stackSize     : integer;
                               startAddr     : pointer;
                               params        : pointer;
                               creationFlags : dword;
                               var threadID  : dword              ) : dword; stdcall;

Please note that in contrast to the win32 API "CreateRemoteThread", which only works in NT based systems, my function works in all current 32bit Windows OSs!

Furthermore I should note, that I didn't realize this by misusing "SetWindowsHookEx" or by hijacking a thread with "Get/SetThreadContext". Both of the latter methods (and any other that I saw until today) are only bad work arounds to recreate "CreateRemoteThread" functionality in 9x/ME based systems and thus have severe disadvantages.

I've invested a lot of time and work to get a *real* "CreateRemoteThread" solution which like the NT win32 API has no real disadvantages. It doesn't cost much performance, it's very reliable, it works always, it doesn't risk the stability of the destination process, and it also doesn't need any cooperation of the destination process - so it works even on frozen or crashed processes.

The "RemoteCmdLine" Example shows you how to use CopyFunction, AllocMemEx and finally "CreateRemoteThreadEx" to execute a function in another process. The example works in all OSs, of course.