If your process is spawning the process into which you want to inject code, things get a little easier. For one, your process (the parent process) can create the new process suspended. This allows you to alter the child process's state without affecting its execution since it hasn't started executing anything yet. But the parent process also gets a handle to the child process's primary thread. Using this handle, you can alter what code the thread executes. You can solve the problem mentioned in the previous section since you can set the thread's instruction pointer to execute the code in the memory-mapped file.
Here is one way for your process to control what code the child process's primary thread executes:
Steps 6 and 7 above are tricky to get right because you have to change the code that you are currently executing. It is possible, however—I've seen it done.
This technique offers a lot of benefits. First, it gets the address space before the application executes. Second, it works on both Windows 98 and Windows 2000. Third, since you're not a debugger, you can easily debug the application with the injected DLL. And finally, this technique works on both console and GUI applications.
Of course, this technique also has some disadvantages. You can inject the DLL only if your code is the parent process. And, of course, this technique is not CPU-independent; you must make modifications for different CPU platforms.