Nidhogg v1.0 releases: multi-functional rootkit for red teams

Nidhogg

Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your C2 framework via a single header file with simple usage, you can see an example here.

Nidhogg can work on any version of x64 Windows 10 and Windows 11.

This repository contains a kernel driver with a C++ header to communicate with it.

Current Features

• Process hiding and unhiding
• Process elevation
• Process protection (anti-kill and dumping)
• Bypass pe-sieve
• Thread hiding
• Thread protection (anti-kill)
• File protection (anti-deletion and overwriting)
• File hiding
• Registry keys and values protection (anti-deletion and overwriting)
• Registry keys and values hiding
• Querying currently protected processes, threads, files, registry keys and values
• Arbitrary kernel R/W
• Function patching
• Built-in AMSI bypass
• Built-in ETW patch
• Process signature (PP/PPL) modification
• Can be reflectively loaded

Reflective loading

Since version v0.3, Nidhogg can be reflectively loaded with kdmapper but because PatchGuard will be automatically triggered if the driver registers callbacks, Nidhogg will not register any callback. Meaning, that if you are loading the driver reflectively these features will be disabled by default:

• Process protection
• Thread protection
• Registry operations

PatchGuard triggering features

These are the features known to me that will trigger PatchGuard, you can still use them at your own risk.

• Process hiding
• Thread hiding
• File protecting

Changelog v1.0

New features:

• Driver hiding / unhiding
• Module hiding
• Port hiding / unhiding
• Query hidden ports
• Thread unhiding
• Credential Dumping
• NidhoggScript Execution
• Initial Operations (As requested in #34 )

Improvements:

• Refactored the driver side code and improved code quality in terms of readability, simplicity and bug fixing.
• Refactored the client side code and improved code quality in terms of readability, simplicity and bug fixing.
• Reduced the amount of IOCTLs.
• Added automatic allocation / deallocations.
• Fixed memory leaks.

Misc

• New logo
• New wiki
• Prints can be now turned off / on with a single #define

Download & Use

Copyright (c) 2022, Ido Veltzman
All rights reserved.