CreateProcessA 创建挂起进程GetThreadContext ReadProcessMemoryVirtualAllocEx 分配空间 WriteProcessMemory 写入PE头WriteProcessMemory 循环写入各节表WriteProcessMemory SetThreadContext ResumeThread 执行挂起进程CloseHandle 关闭CloseHandle 关闭
可以考虑hook这几个函数来进行内存样本的抓取工作
