CreateRemoteThread的问题

故障现象

代码远程注入执行后远程进程异常退出，见截图

远程进程代码

// Win32Console.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "process.h"
#include <iostream>
using namespace std;

void myFunc(int p1,int p2)
{
	cout<<"函数被调用，传入的参数为（"<<p1<<","<<p2<<")"<<endl;
}

int _tmain(int argc, _TCHAR* argv[])
{
	cout<<"进程PID："<<getpid()<<endl;

	cout<<"函数地址："<<&myFunc<<endl;

	getchar();
	return 0;
}

注入者代码

// Hooker.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "windows.h"

#include <iostream>
#include <string>
using namespace std;

int EnableDebugPriv(LPCWSTR name)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES tp;
	LUID luid;
	//打开进程令牌环
	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);
	//获得进程本地唯一ID
	LookupPrivilegeValue(NULL, name, &luid) ;

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	tp.Privileges[0].Luid = luid;
	//调整权限
	AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
	return 0;
}

int const MAX_REMOTE_DATA = 1024 * 4;

void __stdcall func(int funcAddress,int p1,int p2) 
{ 
	__asm 
	{ 
		push p2
		push p1
		mov eax, funcAddress 
		call  eax 
	}
}

typedef struct DataPack 
{ 
	void*    pfunCall; 

	int        funcAddress; 
	int        p1; 
	int        p2; 
}DataPack, *PDataPack;
typedef void(__stdcall* FUNCADD)(int,int,int);
void __stdcall remoteFunc(PDataPack pData) 
{ 
	FUNCADD func = (FUNCADD)pData->pfunCall; 
	func(pData->funcAddress,pData->p1,pData->p2); 
}

bool remoteCall(int processId,int funcAddress,int p1,int p2) 
{ 
    EnableDebugPriv(SE_DEBUG_NAME);

	//1. 打开进程 
	HANDLE processHandle = ::OpenProcess(PROCESS_ALL_ACCESS, 
		FALSE, processId);
	if (NULL == processHandle) 
	{
		MessageBox(NULL,L"",L"创建进程失败",0); 
		return false; 
	}


	//2. 分配空间， 把我们要注入的函数写入这个空间 
	LPVOID  pRemoteFun = VirtualAllocEx(processHandle, NULL,MAX_REMOTE_DATA, 
		MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
	if (NULL == pRemoteFun) 
	{ 
		MessageBox(NULL,L"",L"pRemoteFun alloc failed",0); 
		return false; 
	} 
	if (!WriteProcessMemory(processHandle,pRemoteFun,&remoteFunc, 
		MAX_REMOTE_DATA, 0)) 
	{ 
		MessageBox(NULL,L"",L"pRemoteFun write process memory failed",0); 
		return false; 
	}


	//3. 分配空间， 把我们要注入的函数参数写入这个空间
	LPVOID  pFunc = VirtualAllocEx(processHandle, NULL,MAX_REMOTE_DATA, 
		MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
	if (NULL == pFunc) 
	{ 
		MessageBox(NULL,L"",L"pFunc alloc failed",0); 
		return false; 
	}
	if (!WriteProcessMemory(processHandle,pFunc,&func, 
		MAX_REMOTE_DATA, 0)) 
	{ 
		MessageBox(NULL,L"",L" pFunc write process memory failed",0); 
		return false; 
	}

	DataPack dataPack;
	dataPack.funcAddress=funcAddress;
	dataPack.pfunCall=pFunc;
	dataPack.p1=p1;
	dataPack.p2=p2;
	
	LPVOID  remoteParam = VirtualAllocEx(processHandle, NULL,sizeof(dataPack), 
		MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
	if (NULL == remoteParam) 
	{ 
		MessageBox(NULL,L"",L"remoteParam alloc failed",0); 
		return false; 
	}
	if (!WriteProcessMemory(processHandle,remoteParam,&dataPack, 
		sizeof(dataPack), 0)) 
	{ 
		MessageBox(NULL,L"",L"remoteParam write process memory failed",0); 
		return false; 
	}


	//创建远程线程 
	DWORD threadId; 
	HANDLE remoteHandle = CreateRemoteThread(processHandle, 
		NULL, 0, (LPTHREAD_START_ROUTINE)(pRemoteFun), remoteParam, 0, &threadId); 
	if (!remoteHandle) 
	{ 
		MessageBox(NULL,L"",L"CreateRemoteThread failed",0); 
		return false; 
	}
	WaitForSingleObject( remoteHandle, INFINITE );

	VirtualFreeEx(processHandle, pRemoteFun, MAX_REMOTE_DATA, MEM_RELEASE);  
	VirtualFreeEx(processHandle, pFunc, MAX_REMOTE_DATA, MEM_RELEASE); 
	VirtualFreeEx(processHandle, remoteParam, sizeof(dataPack), MEM_RELEASE); 
	CloseHandle(remoteHandle); 
	return true; 
}

int _tmain(int argc, _TCHAR* argv[])
{
	cout<<"输入远程进程的PID：";
	int processId;
	cin>>processId;

	cout<<"输入远程方法的地址：";
	int funAddress;
	cin>>hex>>funAddress;

	cout<<"参数１数值：";
	int p1;
	cin>>dec>>p1;

	cout<<"参数２数值：";
	int p2;
	cin>>dec>>p2;

	remoteCall(processId,funAddress,p1,p2);

	getchar();
	return 0;
}