rmt.dll provide API which can make other process call specific procedure with any type of parameter and any numbers of parameter. rmt.exe is a simpified utility. ------------------------- Remote Thread uttility usage ------------------------ rmt /load Process Dll rmt /loadfree Process Dll rmt /free [Process [Dll]] rmt /list [Process [Dll]] rmt /call Process Dll API [/i] rmt /call Process Dll API [type value type value ... ...] rmt /CALL Process ProcAddr [/i] rmt /CALL Process ProcAddr [type value type value ... ...] ------------------------------------------------------------------------------- /load: ( = /ld ) inject dll into process(s) /free: ( = /f ) inject dll into process(s) /loadfree: ( = /lf ) inject dll into process(s) then free /list: ( = /l ) list injected dll of process(s) /call: ( = /c ) make process(s) load dll, call procedure of the dll, then free dll /CALL: ( = /C ) make process(s) call the procedure Process: id or name or full path name "*" = any process except current process "." = current process Dll: dll file name or full path name "*" = any dll ( only used with /free or /list ) ProcAddr: Address(such as 0x77FE00C) or DllName!ProcName style /i: read function arguments from screen(stdin), \n can be converted continue line: single \ , double \ at the end of line means single \ input type and value basically same as following description of type-value repationship, except without "/". to see detail help, type ? in prompt when asked for input type-value relationship: type value ------ ----------------------------------------------------------- /d INPUT only DWORD /D INPUT OUTPUT DWORD ( internally a DWORD * buffer is used) /s INPUT only String /us INPUT only Unicode String /sNNNN INPUT only String with maxBytes=NNNN /SNNNN INPUT OUTPUT String with maxBytes=NNNN /usNNNN INPUT only Unicode String with maxCharacters=NNNN /USNNNN INPUT OUTPUT Unicode String with maxCharacters=NNNN ------- ----------------------------------------------------------- above NNNN represent a number, such as 1234 or 0x234ABC0 output type value will be displayed result after complete call Sample: rmt /call a.exe kernel32 MessageBoxA /d 0 /s mymsg /s title /d 0x1000 rmt /call a.exe kernel32 GetEnvironmentVariableW /us path /US1024 "" /d 1024