未测试，可能的方法：

使用DllMain创建一个DLL，它使用GetThreadStartInformation（）来查找缓冲区的地址，然后使用GetCurrentDirectory来填充它。这应该是OK，因为这两个函数都在kernel32，它总是存在。

Create a DLL with a DllMain that uses GetThreadStartInformation() to find the address of the buffer, and then uses GetCurrentDirectory to populate it. This should be OK, because both of those functions are in kernel32, which is always present. You will need to have some structure there to return success/failure.

1. 获取cmd.exe进程的句柄。


2. 在那里分配一些内存（VirtualAllocEx）


3. 将DLL的路径放在内存中。 （WriteProcessMemory）


4. 将您的dll加载到cmd.exe地址空间。 （CreateRemoteThread的入口点为LoadLibrary，参数是你之前分配的内存。）


5. WaitForSingleObject后跟GetExitCodeThread（），在cmd.exe进程中为您提供DLL的HMODULE


6. 从cmd.exe地址空间中卸载您的dll文件。 CreateRemote Thread的入口点为FreeLibrary，参数是HMODULE。


7. WaitForSingleObject等待DLL卸载。

1. Get a handle to the cmd.exe process.
2. Allocate some memory there (VirtualAllocEx)
3. Put the path to your DLL in the memory. (WriteProcessMemory)
4. Load your dll into the cmd.exe address space. (CreateRemoteThread with an entry point of LoadLibrary, the argument is the memory you allocated earlier.)
5. WaitForSingleObject followed by GetExitCodeThread(), gives you the HMODULE of your DLL in the cmd.exe process.
6. ReadProcessMemory to get the current directory.
7. Unload your dll from the cmd.exe address space. CreateRemote Thread with an entry point of FreeLibrary, the argument is the HMODULE.
8. WaitForSingleObject to wait for the DLL to unload.

宽幅草图：作为练习留下的细节！风险：分配cmd.exe地址空间中的内存，更改其状态。必须注意DllMain中调用的函数。

Broad sketch: Details left as an excercise! Risks: Allocates memory in the cmd.exe address space, changes its state. Care must be taken with the functions called in DllMain.