Any tips on how to beat the game on hard I set it hard so it would be more challenging and last longer but them F*cking splincers(or whatever there called) man wipe me out I use about 4 medic kits when there about10 splicers and they take a beating to kill especially big sisters:|
any tips would be nice. Cheers;)
I beat it on Hard and it wasn't that hard for me. The drill is your friend! I fully upgraded the drill as soon as possible. The final upgrade for the drill allows you to reflect projectiles back at the enemy while you are drilling. When you drill an enemy, they become temporarily stunned (the stun is significantly shorter on big daddies and big sisters). This is an easy way to knock off a big chunk of their health. You can then either finish them off by drilling them again, melee them down quickly, or shooting them down. The drill becomes a very powerful weapon once you get the charge ability. With damage increases from research I was able to kill enemies in 1 hit with the charge (with the exception of brute splicers, big daddies, big sisters, and security turrets). If you run out of drill fuel, go for headshots. A headshot does nearly double the normal damage and even more if you purchase the tonic that increases the damage done by headshots. You also need to conserve as much ammo as possible (that's why I melee splicers) so that you have enough money to buy health, eve, or even ammo. Out of all the plasmids available, I used the Hypnosis and the Telekinesis ones the most. Hypnosis lets you sit back and watch splicers kill each other which is nice and I used Telekinesis since there are so many explosive barrels lying around on each level.
Remember to purchase health upgrade in EACH level to help you out. As you progress through the game, buy up the armor tonic (research the brute splicers for the upgraded version) and the tonic that reduces fire damage (for big sisters and houdini splicers). It is important that you research whenever you can since the bonuses are essential for beating the game on Hard mode.
Simple Antirootkit
1. SST: references 2. Algorithm 3. Memory mapped files 4. Implementation 5. Demonstration 6. How to build
Written by: Victor Milokum, Development Leader of Network Security Team.
This article is a logical continuation to the article "Driver to Hide Processes and Files" http://www.codeproject.com/KB/system/hide-driver.aspx by Ivan Romananko. You can find all necessary information about System Service Table (SST) and its hooking in it.
In this article I would like to present how to write your own unhooker that will restore original SST hooked by drivers like Ivan's one.
2. Algorithm
My goal is to write a simple driver for SST hooking detection and removing purposes.
This means that our driver should not use various Zw-functions and SST table because I suppose that SST table is corrupted by unknown rootkits.
I do not care about filter drivers and function code splicers for now, but maybe I will come back to them in future.
The simplest way to detect and remove hooks is to compare SST that is placed in memory with the initial SST from ntoskernel.exe file.
So the goal is:
to find ntoskernel module in memory;
to find the section of ntoskernel where SST is placed and to calculate relative offset of SST in the section;
to find this section in the ntoskernel.exe file;
to calculate real address of SST in the file;
to read values from the file and to compare them with SST.
But before the implementation I would like to present some additional information.
3. Memory mapped files in kernel mode
"A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource". (c) Wiki
Yeah, we want to parse the PE file and memory mapped files are very useful for this task.
And it is easy enough to use mapped files API from the kernel mode, because it is very similar to Win32 API. Instead of CreateFileMapping and MapViewOfSection functions in kernel mode driver should access
NTSTATUS ZwCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL );
and
NTSTATUS ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Win32Protect );
functions.
But if we use these functions we will break our own rule not to use SST. Also, it is good for antirootkit to use extremely low level functions in the hope of being invisible to the possible rootkits.
With regard to this we can use undocumented functions of Memory Manager (Mm), of course at our own risk:
NTSTATUS
MmCreateSection ( OUT PVOID *SectionObject, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL, IN PFILE_OBJECT File OPTIONAL ); NTSTATUS
MmMapViewOfSection( IN PVOID SectionToMap, IN PEPROCESS Process, IN OUT PVOID *CapturedBase, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset, IN OUT PSIZE_T CapturedViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSTATUS
MmUnmapViewOfSection( IN PEPROCESS Process, IN PVOID BaseAddress ); NTSTATUS drv_MapAllFileEx(HANDLE hFile OPTIONAL, drv_MappedFile * pMappedFile, LARGE_INTEGER * pFileSize, ULONG Protect)
{ NTSTATUS status = STATUS_SUCCESS; PVOID section = 0; PCHAR pData=0; LARGE_INTEGER offset; offset.QuadPart = 0; // check zero results if (!pFileSize->QuadPart) goto calc_exit; status = MmCreateSection (§ion, SECTION_MAP_READ, 0, // OBJECT ATTRIBUTES pFileSize, // MAXIMUM SIZE Protect, 0x8000000, hFile, 0 ); if (status!= STATUS_SUCCESS) goto calc_exit; status = MmMapViewOfSection(section, PsGetCurrentProcess(), (PVOID*)&pData, 0, 0, &offset, &pFileSize->LowPart, ViewUnmap, 0, Protect); if (status!= STATUS_SUCCESS) goto calc_exit; calc_exit: if (NT_SUCCESS(status)) { pMappedFile->fileSize.QuadPart = pFileSize->QuadPart; pMappedFile->pData = pData; pMappedFile->section = section; } else { if (pData) MmUnmapViewOfSection(PsGetCurrentProcess(), pData); if (section) { ObMakeTemporaryObject(section); ObDereferenceObject(section); } } return status;
}
This example demonstrates an alternative approach to the usage of mapped files through MmCreateSection/MmMapViewOfSection functions.
The presented approach is pretty good because it doesn't utilize Zw* functions and even handles at all, but it has one restriction. If you start this sample from DriverEntry it will work fine, but if you start it from the IRP_MJ_DEVICE_CONTROL handler you will see that MmCreateSection function fails with STATUS_ACCESS_DENIED. Why?
The answer is: Zw* functions do one good thing - they set previous mode to KernelMode and this allows to utilize kernel mode pointers and handles as parameters for them (for more information see Nt vs. Zw - Clearing Confusion On The Native API article - http://www.osronline.com/article.cfm?id=257)
So, the presented above function can be called only from DriverEntry or from the system thread.
4. Algorithm implementation
I designed the following structure to save all ntoskernel parsing results:
And I implemented the chosen algorithm as follows:
static NTSTATUS ResolveSST(Drv_VirginityContext * pContext, SYSTEM_MODULE * pNtOsInfo)
{ PIMAGE_SECTION_HEADER pSection = 0; PIMAGE_SECTION_HEADER pMappedSection = 0; NTSTATUS status = 0; PNTPROC pStartSST = KeServiceDescriptorTable->ntoskrnl.ServiceTable; char * pSectionStart = 0; char * pMappedSectionStart = 0; // Drv_ResolveSectionAddress function detects // to which section pStartSST belongs // pSection will contain the section of ntoskernel.exe that contains SST pContext->m_pLoadedNtAddress = (char*)pNtOsInfo->pAddress; status = Drv_ResolveSectionAddress(pNtOsInfo->pAddress, pStartSST, &pSection); if (!NT_SUCCESS(status)) goto clean; // save section name to context memcpy(pContext->m_SectionName, pSection->Name, IMAGE_SIZEOF_SHORT_NAME); // calculate m_sstOffsetInSection - offset of SST in section pSectionStart = (char *)pNtOsInfo->pAddress + pSection->VirtualAddress; pContext->m_sstOffsetInSection = (char*)pStartSST - pSectionStart; // find section in mapped file - on disk! status = Drv_FindSection(pContext->m_mapped.pData, pSection->Name, &pMappedSection); if (!NT_SUCCESS(status)) goto clean; pMappedSectionStart = (char *)pContext->m_mapped.pData + pMappedSection->PointerToRawData; pContext->m_mappedSST = pMappedSectionStart + pContext->m_sstOffsetInSection; { // don´t forget to save ImageBase PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)pContext->m_mapped.pData; PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((char*)dosHeader + dosHeader->e_lfanew); pContext->m_imageBase = pNTHeader->OptionalHeader.ImageBase; } pContext->m_pSectionStart = pSectionStart; pContext->m_pMappedSectionStart = pMappedSectionStart;
clean: return status;
}
And here is the function that returns real value of SST:
void Drv_GetRealSSTValue(Drv_VirginityContext * pContext, long index, void ** ppValue)
{ char * pSST = pContext->m_mappedSST; ULONG * pValue = ((ULONG *) pSST) + index; // now pValue points to the mapped SST entry // but entry contains offset from the beginning of ntoskernel file, // so correct it *ppValue = (void*)(*pValue + (ULONG)pContext->m_pLoadedNtAddress – pContext->m_imageBase);
}
After that it is quite simple to implement main functionality:
virtual NTSTATUS ExecuteReal()
{ CAutoVirginity initer; NT_CHECK(initer.Init(&m_virginityContext)); // now we are ready to scan for(int i = 0, sstSize = Drv_GetSizeOfNtosSST(); i < sstSize; ++i) { void ** pCurrentHandler = Drv_GetNtosSSTEntry(i); void * pRealHandler = 0; Drv_GetRealSSTValue(&m_virginityContext, i, &pRealHandler); if (pRealHandler != *pCurrentHandler) { // oops, we found the difference! // unhook this entry Drv_HookSST(pCurrentHandler, pRealHandler); } } return NT_OK;
}
This tiny cycle completely removes all SST hooks and brings SST to its initial state.
6. Demonstration
For testing purposes I developed simple console utility named unhooker.exe. This utility can be started without parameters; in this case it shows information about its abilities:
"stat" command shows statistics about SST hooking;
"unhook" command cleans SST;
This sample demonstrates how to use utility to detect and erase hooks:
Have fun!
6. How to build
Build steps are the same as in the "Hide Driver" article. They are:
Install Windows Driver Developer Kit 2003 - http://www.microsoft.com/whdc/devtools/ddk/default.mspx
Set global environment variable "BASEDIR" to path of installed DDK. Go here: Computer -> Properties -> Advanced -> Environment variables ->System Variables -> New
And set it like this: BASEDIR -> c:winddk3790 (You have to restart your computer after this.)
If you choose Visual Studio 2003, then you can simply open UnhookerMain.sln and build all.
for(int i = 0, sstSize = Drv_GetSizeOfNtosSST(); i < sstSize; ++i) { void ** pCurrentHandler = Drv_GetNtosSSTEntry(i); void * pRealHandler = 0; Drv_GetRealSSTValue(&m_virginityContext, i, &pRealHandler); if (pRealHandler != *pCurrentHandler) { // oops, we found the difference! // unhook this entry Drv_HookSST(pCurrentHandler, pRealHandler); } } return NT_OK;
}
