if you are looking for process injection on all of win32, then some level of 'trickery' is involved.
The shortcut are the APIs CreateRemoteThread() and VirtualAllocEx(), allowing you to allocate a thread and memory in another process. the remotely executed code *should* be relocation-independent (meaning the API addresses AND code would have to be passed down through a structure ...) but that's another thing. The remotely injected code (in this case) would then call LoadLibrary() to actually load the dll

under 9x, there are various well-docummented hacks to inject, or at least emulate, the injection of a thread. VirtualAllocEx is absent, however, there are several workarounds. First of all, look up matt pietrek's trick, the 8000000h flag trick, that, when passed on to VirtualAlloc(), will return a block of memory >0x80000000, or >2gig, therefore in shared memory region. An alternative way, but the same method, is to simply create a empty file mapping under 9x, and the address will be >2gig as well.

There are several other hacks for allocation of memory into a remote process under 9x, including some secret ordinals (which i can't quite recall right now)...

as for the actual injection part, there is a secret kernel routine under 9x, which handles the creation of a new thread under any process, which is internally called by DebugActiveProcess(). it's just a hint, hunt around, it's easy.

Likewise, there are other undocummented APIs like CreateKernelThread(), which is sorta similar to process injection..

anyways, another way completely would be to enumerate the processes and their threads, suspend a thread, alter eip, and inject your code that way. the method involves using SetThreadContext, and the debug apis are found on all of win32. HOWEVER, OpenThread() isn't present in 9x, but there are various hacks to easily unobfuscate the address anyways. But this whole mumbo is too long to write in a post...


oh well enough rambling.