Injecting Code with a Memory-Mapped File on Windows 98

Injecting your own code on Windows 98 is actually trivial. All 32-bit Windows applications running on Windows 98 share the same top 2 GB of address space. If you allocate some storage up there, that storage is available in every process's address space. To allocate storage above 2 GB, you simply use memory-mapped files (discussed in Chapter 17). You create a memory-mapped file and then call MapViewOfFile to make it visible. Then you populate that area of your address space (which is the same area in all process's address space). You probably have to resort to hand-coded machine language to make this work, which makes the solution difficult to port to other CPU platforms. But if you're doing this, you probably don't care about different CPU platforms since Windows 98 only runs on x86 anyway.

What makes this technique difficult is that you still have to get a thread in the other process to execute the code in the memory-mapped file. To do this, you need some way to control the thread in the remote process. CreateRemoteThread would work nicely, but Windows 98 doesn't support it. Unfortunately, I have no solution to offer you here.