Cheat Engine

[johnnygg]

hi,
this maybe asking a bit much, but anyone know where I can find information about editing a rootkit at run-time?


More specifically, I don't want to find the rootkit file and delete it/stop it from running--that's what my antivirus is for. Instead, I want to know if its possible to analyze/edit the rootkit process at run time.

For example, a child rootkit process is started by a mother-application to
A. report any access to mother-application memory to mother-application
B. hooking onto certain Windows APIs and blocking some inputs/function calls (SendInput(), keybd, etc).
Meanwhile, the mother-application monitors the rootkit, and if the rootkit goes down, it self terminates.
So I'm looking for info on how to get past this.

If this is beyond the scope of this forum, or I'm posting in the wrong area, or mods think I shouldn't be asking this question, then I'm sorry in advance, and feel free to remove the post/reword it however you like.

thanks

johnny

[Fresco]

are you looking for a way to turn the rootkit app into a mother one, so it can handle himself without being watched by the mother app ?
is so, have you asked yourself, can the rootkit run without mother ?
i think not, the rootkit it's most likely a dll not exe
anyways, you can hack the mother app to let the rootkit run by himself.
you just need to find out in the mother app the functions that keeps the rootkit alive, isolate them, and create a new exe with the basic core.
just like crackers do with steam games, they have found that the minimum requirement is not steam.exe but a dll, they created an app like cheat engine to inject that dll into the process of the game, and voila the game works without steam.
the point is that it's an advanced thing, and you would probably fail in this.
if the mother app that controls the rootkit is the antivirus, then forget about it, it's an antivirus, you can disable it or tell it to make an exception tor that rootkit.
btw, is the mother that shuts down when an error occurs to the rootkit ? is that correct ?
if it's not that you want the rookit to be mother, then forget a said anything and clarify yourself.

[johnnygg]

well my problem is that I want to edit the mother app. However, the rootkit is preventing me from doing so >.> So I wanted to edit the rootkit at runtime (like with cheatengine); but its hooking all the tools I can use to modify it at runtime :/ ie. it can detect cheatengine binding to its process (as well as any other assembly/memory editors that I tried). So I'm wondering if there is something else I can do to edit the rootkit

I could just remove the rootkit completely, but then the motherapp doesn't work >.> and the motherapp checks the rootkit's dll files to make sure it is valid at launch so replacing it with another dll that simulates it is out of the question


soooo...where do i go from here?