Skip to content
forked from Idov31/Nidhogg

Nidhogg is an all-in-one simple to use rootkit for red teams.

License

Notifications You must be signed in to change notification settings

assarbad/Nidhogg

 
 

Repository files navigation

Nidhogg

Logo

image image

Nidhogg is a multi-functional rootkit to showcase the variety of operations that can be done from kernel space. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for operations. Besides that, it can also easily be integrated with your C2 framework.

Nidhogg can work on any version of x64 Windows 10 and Windows 11.

This repository contains a kernel driver with a C++ program to communicate with it.

If you want to know more, check out the wiki for a detailed explanation.

Current Features

  • Process hiding and unhiding
  • Process elevation
  • Process protection (anti-kill and dumping)
  • Bypass pe-sieve
  • Thread hiding and unhiding
  • Thread protection (anti-kill)
  • File protection (anti-deletion and overwriting)
  • Registry keys and values protection (anti-deletion and overwriting)
  • Registry keys and values hiding
  • Querying currently protected processes, threads, files, hidden ports, registry keys and values
  • Function patching
  • Built-in AMSI bypass
  • Built-in ETW patch
  • Process signature (PP/PPL) modification
  • Can be reflectively loaded
  • Shellcode Injection
    • APC
    • NtCreateThreadEx
  • DLL Injection
    • APC
    • NtCreateThreadEx
  • Querying kernel callbacks
    • ObCallbacks
    • Process and thread creation routines
    • Image loading routines
    • Registry callbacks
  • Removing and restoring kernel callbacks
  • ETWTI tampering
  • Module hiding
  • Driver hiding and unhiding
  • Credential Dumping
  • Port hiding/unhiding
  • Script execution
  • Initial operations

Reflective loading

Since version v0.3, Nidhogg can be reflectively loaded with kdmapper but because PatchGuard will be automatically triggered if the driver registers callbacks, Nidhogg will not register any callback. Meaning, that if you are loading the driver reflectively these features will be disabled by default:

  • Process protection
  • Thread protection
  • Registry operations

Script Execution

Since version v1.0, Nidhogg can execute NidhoggScripts - a tool that allows one to execute a couple of commands one after another, thus, creating playbooks for Nidhogg. To see how to write one check out the wiki

Initial Operations

Since version v1.0, Nidhogg can execute NidhoggScripts as initial operations as well. Meaning, that if it spots the file out.ndhg in the root of the project directory (the same directory as the Python file) it will execute the file each time the driver is running.

PatchGuard triggering features

These are the features known to trigger PatchGuard, you can still use them at your own risk.

  • Process hiding
  • File protecting

Basic Usage

To see the available commands you can run NidhoggClient.exe or look at the wiki for detailed information regarding how to use each command, the parameters it takes and how it works.

NidhoggClient.exe

# Simple usage: Hiding a process
NidhoggClient.exe process hide 3110

Setup

Building the client

To compile the client, you will need to have Visual Studio 2022 installed and then just build the project like any other Visual Studio project.

Building the driver

To compile the project, you will need the following tools:

Clone the repository and build the driver.

Driver Testing

To test it in your testing environment run those commands with elevated cmd:

bcdedit /set testsigning on

After rebooting, create a service and run the driver:

sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhogg

Debugging

To debug the driver in your testing environment run this command with elevated cmd and reboot your computer:

bcdedit /debug on

After the reboot, you can see the debugging messages in tools such as DebugView.

Resources

Contributions

Thanks a lot to those people who contributed to this project: