帮忙看一下这段注入代码有什么错解决办法

帮忙看一下这段注入代码有什么错
DWORD __stdcall Func()
{
MessageBox(0,"1",0,0);
return 0;
}


int main()
{
HWND hwnd = 0;
DWORD Pid = 0;
HANDLE hProcess = 0;
LPVOID Adr = 0;
HANDLE hRemote = 0;
hwnd = FindWindow(NULL,"计算器");
GetWindowThreadProcessId(hwnd,&Pid);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,Pid);
Adr = VirtualAllocEx(hProcess,NULL,2048,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,Adr,Func,2048,NULL);
hRemote = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)Adr,NULL,NULL,NULL);
CloseHandle(hProcess);
return 0;
}


为什么计算器会崩溃？
我一步一步调试下来，到WriteProcessMemory都可以写入成功，返回非零值。
到了CreateRemoteThread这一步，计算器就崩溃了。哪里错了？

[解决办法]
在WriteProcessMemory之前你必须先处理欲注入的代码

MessageBox: 无法保证它的地址在远程进程中是一样的
"1": 无法保证在远程进程中有效
Func: 无法保证是否有多余代码且无法保证在远程进程中的地址一样,你需要重定位
...

所以...
[解决办法]
前面的发错...

C/C++ code

#include <windows.h>#pragma comment(linker, "/INCREMENTAL:NO") // 否则Func指向的是一个jmp__declspec(naked) ULONG __stdcall Func(void *){    __asm    {        nop; // 前面这里忘该了...        push Func;        mov edx, Func; // 实在不想写_emit，但是不知道怎么让VC生成绝对地址调用        call edx;        push Func;        push eax;        mov edx, Func;        call edx;                push 0;        push 0;        push Func;        push 0;        call eax;        push 0;        mov edx, Func;        call edx;    }}void write_int(HANDLE in_p, int in_ptr, int in_data){    WriteProcessMemory(in_p, (void *)in_ptr, &in_data, 4, 0);}int main(){    HWND hwnd = 0;    DWORD Pid = 0;    HANDLE hProcess = 0;    LPVOID Adr = 0;    HANDLE hRemote = 0;    hwnd = FindWindow(NULL,"Calculator");    GetWindowThreadProcessId(hwnd,&Pid);    hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,Pid);    Adr = VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE); // 记得执行权限    WriteProcessMemory(hProcess, Adr, Func, 0x100, 0);    WriteProcessMemory(hProcess, (char *)Adr + 0x100, "User32.dll", 11, 0);    WriteProcessMemory(hProcess, (char *)Adr + 0x110, "MessageBoxA", 12, 0);    void *p =GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetModuleHandleA");    // 修改函数中的指针    write_int(hProcess, (int)Adr + 2, (int)Adr + 0x100);    write_int(hProcess, (int)Adr + 7, (int)GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetModuleHandleA"));    write_int(hProcess, (int)Adr + 0xe, (int)Adr + 0x110);    write_int(hProcess, (int)Adr + 0x14, (int)GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetProcAddress"));    write_int(hProcess, (int)Adr + 0x1f, (int)Adr + 0x110);    write_int(hProcess, (int)Adr + 0x2a, (int)GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "ExitThread")); // 用NtCreateThread遗留的习惯，就当是return吧+_+bb    hRemote = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)Adr,NULL,NULL,NULL);    CloseHandle(hProcess);    return 0;}