Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF

Public Function ExecuteDll(lPid As Long) As Boolean
Dim hVictim As Long
Dim hInject As Long
Dim lParamAddress As Long
Dim lStartAddress As Long
Dim bB() As Byte
Dim sTmp As String

hVictim = OpenProcess(PROCESS_ALL_ACCESS, 0, lPid): If hVictim = 0 Then Exit Function
If hVictim = 0 Then: GoTo Error
'===
sTmp = "68" & GetLng(0) & _
"68" & GetLng(StrPtr("HOLA")) & _
"68" & GetLng(StrPtr("HOLA")) & _
"68" & GetLng(0) & "68"

Call PutThunk(sTmp, bB)
'===
lStartAddress = GetProcAddress(GetModuleHandle("USER32"), "MessageBoxA"): If lStartAddress = 0 Then GoTo Error
lParamAddress = VirtualAllocEx(hVictim, 0&, UBound(bB) + 1, MEM_COMMIT, PAGE_READWRITE): If lParamAddress = 0 Then GoTo Error
Call WriteProcessMemory(hVictim, lParamAddress, ByVal VarPtr(bB(0)), UBound(bB) + 1, ByVal 0&)
'===
hInject = CreateRemoteThread(hVictim, ByVal 0&, 0&, ByVal lStartAddress, lParamAddress, 0, ByVal 0&)
If hInject = 0 Then: GoTo Error
'===

Call WaitForSingleObject(hInject, INFINITE)
Call CloseHandle(hVictim)
Call CloseHandle(hInject)

ExecuteDll = True
Exit Function

Error:
Call CloseHandle(hInject)
Call CloseHandle(hVictim)

ExecuteDll = False
End Function

Private Function GetLng(ByVal lLng As Long) As String
Dim lTMP As Long

lTMP = (((lLng And &HFF000000) &H1000000) And &HFF&) Or ((lLng And &HFF0000) &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
If (lLng And &H80&) Then lTMP = lTMP Or &H80000000

GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP)
End Function

Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
Dim i As Long

ReDim bvRet(0)

For i = 0 To Len(sThunk) - 1 Step 2
bvRet(i / 2) = CByte("&H" & Mid$(sThunk, i + 1, 2))
ReDim Preserve bvRet(UBound(bvRet) + 1)
Next i

ReDim Preserve bvRet(UBound(bvRet) - 1)
End Sub

Sub Main()
ExecuteDll 7756, 0
End Sub