type injt = packed record
 PushCommand: Byte; // 0x68
 PushEIP: DWORD; // Old EIP value from context to return to
 PushFd: Byte; // 0x9c
 PushAd: Byte; //0x60
 PushCommand2: Byte; // 0x68
 PushDLLName: DWORD; // address of LibraryName
 Call: Word; // 15ff
 CallAddr: DWORD; //LoadLibraryA address
 PopAd: Byte; // 0x61
 PopFd: Byte; // 0x9d
 Ret: Byte; // 0xc3
 AddrLoadLibrary: DWORD;
 LibraryName: array [0..MAX_PATH] of char;
 end;

procedure InjectLib(const PID, TID: DWORD);
var
  stubLen, oldIP, ret: DWORD;
  hProcess, hThread: THandle;
  ctx: CONTEXT;
    n: injt;
 stub: Pointer;
  begin

   stubLen := sizeof(n);

   hProcess := OpenProcess(PROCESS_VM_WRITE or PROCESS_VM_OPERATION, False, PID);

   if hProcess = 0 then exit;

   stub := VirtualAllocEx(hProcess, nil, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

   hThread := OpenThread(THREAD_GET_CONTEXT or THREAD_SET_CONTEXT or THREAD_SUSPEND_RESUME, false, TID);

   if hThread = 0 then exit;

   SuspendThread(hThread);

   ZeroMemory(@ctx, sizeof(ctx));

   ctx.ContextFlags := CONTEXT_CONTROL;
   GetThreadContext(hThread, ctx);
   oldIP := ctx.Eip;
   ctx.Eip := DWORD(stub);
   ctx.ContextFlags := CONTEXT_CONTROL;


 with n do
 begin
 PushCommand := $68;
 PushEIP := oldIP;
 pushfd := $9c;
 pushad := $60 ;
 PushCommand2 := $68;
 PushDLLName := DWORD(stub) + 25;
 call := $15FF;
 calladdr := DWORD(stub) + 21;
 PopAd := $61;
 PopFd := $9d;
 ret := $c3;
 StrPCopy(@LibraryName, 'psapi.dll');
 AddrLoadLibrary := DWORD(GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryA'));
end;

   WriteProcessMemory(hProcess, stub, @n, stubLen, ret);

   SetThreadContext(hThread, ctx);

   ResumeThread(hThread);

   WaitForSingleObject(hThread, INFINITE);

   VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT);
   CloseHandle(hProcess);
   CloseHandle(hThread);
end;