Nidhogg: multi-functional rootkit for red teams

Nidhogg

Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your C2 framework via a single header file with simple usage, you can see an example here.

Nidhogg can work on any version of x64 Windows 10 and Windows 11.

This repository contains a kernel driver with a C++ header to communicate with it.

Nidhogg was built primarily for giving inspiration to others but over the year it grew bigger and its interface changed several times. Nidhogg contains all of its feature in one driver and can be communicated over IOCTLs just like implemented in the given client. The features can be divided into three categories:

• Continuous Operation: A feature that runs in the background consistently (for example: object / registry callbacks).
• Semi Continuous Operation: A feature that isn’t running when the driver is loaded but since “triggered” (user sent a certain request) it will be running until stopped on driver unloading or canceled by the user (for example: IRP hooking).
• Immediate Operation: Operation that has short lifespan and return immediate response (for example: Disabling ETWTI).

Current Features

• Process hiding and unhiding
• Process elevation
• Process protection (anti-kill and dumping)
• Bypass memory scanners (e.g. pe-sieve)
• Thread hiding and unhiding
• Thread protection (anti-kill)
• File protection (anti-deletion and overwriting)
• Registry keys and values protection (anti-deletion and overwriting)
• Registry keys and values hiding
• Listing currently protected or hidden processes, threads, files, ports, registry keys and values
• Function patching
• Built-in AMSI bypass
• Built-in ETW patch
• Process signature (PP/PPL) modification
• Can be reflectively loaded
• Shellcode Injection
  • APC
  • NtCreateThreadEx
• DLL Injection
  • APC
  • NtCreateThreadEx
• Listing kernel callbacks
  • ObCallbacks
  • Process and thread creation routines
  • Image loading routines
  • Registry callbacks
• Removing and restoring kernel callbacks
• Disabling / Enabling ETW providers (e.g. ETW-TI)
• Module hiding and unhiding
• Driver hiding and unhiding
• Credential Dumping
• Port hiding and unhiding
• Nidhogg Object File (NOF) for kernel-mode COFF execution

Reflective loading

Since version v0.3, Nidhogg can be reflectively loaded with kdmapper but because PatchGuard will be automatically triggered if the driver registers callbacks, Nidhogg will not register any callback. Meaning, that if you are loading the driver reflectively these features will be disabled by default:

• Process protection
• Thread protection
• Registry operations

PatchGuard triggering features

These are the features known to me that will trigger PatchGuard, you can still use them at your own risk.

• Process hiding
• Thread hiding
• File protecting

Download & Use

Copyright (c) 2022, Ido Veltzman
All rights reserved.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy