# CreateRemoteThread

CreateRemoteThread 함수는 다른 프로세스의 가상 주소 공간에서 실행되는 쓰레드를 생성합니다.

```cpp
HANDLE CreateRemoteThread(
  [in]  HANDLE                 hProcess,
  [in]  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  [in]  SIZE_T                 dwStackSize,
  [in]  LPTHREAD_START_ROUTINE lpStartAddress,
  [in]  LPVOID                 lpParameter,
  [in]  DWORD                  dwCreationFlags,
  [out] LPDWORD                lpThreadId
);
```

<table><thead><tr><th width="195">인자</th><th width="252">설명</th><th></th></tr></thead><tbody><tr><td>hProcess</td><td>원격 프로세스 핸들</td><td></td></tr><tr><td>lpThreadAttributes</td><td>구조체 포인터</td><td>NULL</td></tr><tr><td>dwStackSize</td><td>스택 크기</td><td>0</td></tr><tr><td>lpStartAddress</td><td>실행할 함수 주소</td><td></td></tr><tr><td>lpParameter</td><td>함수에 전달할 인자</td><td>NULL</td></tr><tr><td>dwCreationFlags</td><td>생성 플래그</td><td>0 : 즉시 실행<br>CREATE_SUSPENDED : 일시정지</td></tr><tr><td>lpThreadId</td><td>쓰레드 반환 Id</td><td>NULL</td></tr></tbody></table>

## Example

```cpp
#include <windows.h>
#include <iostream>
using namespace std;

HANDLE createRemoteThread(HANDLE hProc, LPVOID execAddr) {
    HANDLE hThread = CreateRemoteThread(
        hProc, NULL, 0,
        (LPTHREAD_START_ROUTINE)execAddr,
        NULL, 0, NULL
    );
    if (!hThread) {
        wcout << L"Failed to create thread" << endl;
    }
    return hThread;
}

int main() {
    DWORD pid = 1234;
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if (hProc) {
        // 메모리 할당 및 셸코드 쓰기
        LPVOID exec = VirtualAllocEx(hProc, NULL, 4096,
            MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        if (exec) {
            // 셸코드 쓰기 생략
            // 원격 프로세스 쓰레드 핸들 생성
            HANDLE hThread = createRemoteThread(hProc, exec);
            if (hThread) {
                WaitForSingleObject(hThread, INFINITE);
                CloseHandle(hThread);
            }
            VirtualFreeEx(hProc, exec, 0, MEM_RELEASE);
        }
        CloseHandle(hProc);
    }
    return 0;
}
```

## References

{% embed url="<https://learn.microsoft.com/ko-kr/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/defense-evasion/windows-api/createremotethread.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.