Nidhogg is a multi-functional rootkit to showcase the variety of operations that can be done from kernel space. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for operations. Besides that, it can also easily be integrated with your C2 framework.
Nidhogg can work on any version of x64 Windows 10 and Windows 11.
This repository contains a kernel driver with a C++ program to communicate with it.
If you want to know more, check out the wiki for a detailed explanation.
- Process hiding and unhiding
- Process elevation
- Process protection (anti-kill and dumping)
- Bypass pe-sieve
- Thread hiding and unhiding
- Thread protection (anti-kill)
- File protection (anti-deletion and overwriting)
- Registry keys and values protection (anti-deletion and overwriting)
- Registry keys and values hiding
- Querying currently protected processes, threads, files, hidden ports, registry keys and values
- Function patching
- Built-in AMSI bypass
- Built-in ETW patch
- Process signature (PP/PPL) modification
- Can be reflectively loaded
- Shellcode Injection
- APC
- NtCreateThreadEx
- DLL Injection
- APC
- NtCreateThreadEx
- Querying kernel callbacks
- ObCallbacks
- Process and thread creation routines
- Image loading routines
- Registry callbacks
- Removing and restoring kernel callbacks
- ETWTI tampering
- Module hiding
- Driver hiding and unhiding
- Credential Dumping
- Port hiding/unhiding
- Script execution
- Initial operations
Since version v0.3, Nidhogg can be reflectively loaded with kdmapper but because PatchGuard will be automatically triggered if the driver registers callbacks, Nidhogg will not register any callback. Meaning, that if you are loading the driver reflectively these features will be disabled by default:
- Process protection
- Thread protection
- Registry operations
Since version v1.0, Nidhogg can execute NidhoggScripts - a tool that allows one to execute a couple of commands one after another, thus, creating playbooks for Nidhogg. To see how to write one check out the wiki
Since version v1.0, Nidhogg can execute NidhoggScripts as initial operations as well. Meaning, that if it spots the file out.ndhg in the root of the project directory (the same directory as the Python file) it will execute the file each time the driver is running.
These are the features known to trigger PatchGuard, you can still use them at your own risk.
- Process hiding
- File protecting
To see the available commands you can run NidhoggClient.exe or look at the wiki for detailed information regarding how to use each command, the parameters it takes and how it works.
NidhoggClient.exe
# Simple usage: Hiding a process
NidhoggClient.exe process hide 3110To compile the client, you will need to have Visual Studio 2022 installed and then just build the project like any other Visual Studio project.
To compile the project, you will need the following tools:
- Visual Studio 2022
- Windows Driver Kit
- Python (for the initial operations)
Clone the repository and build the driver.
To test it in your testing environment run those commands with elevated cmd:
bcdedit /set testsigning onAfter rebooting, create a service and run the driver:
sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhoggTo debug the driver in your testing environment run this command with elevated cmd and reboot your computer:
bcdedit /debug onAfter the reboot, you can see the debugging messages in tools such as DebugView.
- Windows Kernel Programming Book
- Kernel Structure Documentation
- Registry Keys Hiding
- Process Signatures
- NtCreateThreadEx Hotfix
- Credential Dumping
- Port Hiding
- Logo
Thanks a lot to those people who contributed to this project: