function InjectMsgbox(dwTargetProc: Cardinal; lpMessage, lpTitle: PChar; mbIcon: Cardinal):LongBool;
type
  PRemMsg = ^TRemMsg;
  TRemMsg = packed record
    bPushOp1: Byte;
    dwHandleAddr: DWord;
    bPushOp2: Byte;
    dwCaptionAddr: DWord;
    bPushOp3: Byte;
    dwTitleAddr: DWord;
    bPushOp4: Byte;
    dwIconAddr: DWord;
    bCallOp: Byte;
    dwMBAAddr: DWord;
    bRetn: Byte;
    dwHandle: HWND;
    lpCaption: array[0..250-1] of Char;
    lpTitle: array[0..250-1] of Char;
    bIcon: DWord;
  end;
var
  gRemMsg: TRemMsg;
  hProc: Cardinal;
  pAlloc: Pointer;
  dwBytesWritten: Cardinal;
  remThreadID: Cardinal;
begin
  result := false;

  SetLastError(ERROR_SUCCESS);

  hProc := OpenProcess(PROCESS_ALL_ACCESS, not true, dwTargetProc);
  if hProc <> 0 then
  begin
    pAlloc := VirtualAllocEx(hProc, nil, sizeof(TRemMsg), MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if pAlloc <> nil then
    begin

      gRemMsg.bPushOp1 := $68;
      gRemMsg.dwHandleAddr := Cardinal(pAlloc) + 26;
      gRemMsg.bPushOp2 := $68;
      gRemMsg.dwCaptionAddr := Cardinal(pAlloc) + 30;
      gRemMsg.bPushOp3 := $68;
      gRemMsg.dwTitleAddr := Cardinal(pAlloc) + 280;
      gRemMsg.bPushOp4 := $68;
      gRemMsg.dwIconAddr := Cardinal(pAlloc) + 530;
      gRemMsg.bCallOp := $E8;
      gRemMsg.dwMBAAddr := Cardinal(GetProcAddress(GetModuleHandle('user32.dll'), 'MessageBoxA')) - Cardinal(pAlloc) - 25;
      gRemMsg.bRetn := $C2;
      gRemMsg.dwHandle := 0;
      lstrcpy(gRemMsg.lpCaption, lpMessage);
      lstrcpy(gRemMsg.lpTitle, lpTitle);
      gRemMsg.bIcon := mbIcon;

      if WriteProcessMemory(hProc, pAlloc, @gRemMsg, sizeof(TRemMsg), dwBytesWritten) = true then
      begin
        CreateRemoteThread(hProc, nil, 0, pAlloc, nil, 0, remThreadID);

        if GetLastError = ERROR_SUCCESS then result := true;
      end;
    end;
  end;
end;

begin
  InjectMsgBox(dwDieProcessID, 'Hallo', 'Test', 0);
end;