Nidhogg - All-In-One Simple To Use Rootkit For Red Teams
Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your C2 framework via a single header file with simple usage, you can see an example here.
Nidhogg can work on any version of x64 Windows 10 and Windows 11.
This repository contains a kernel driver with a C++ header to communicate with it.
Current Features
- Process hiding and unhiding
- Process elevation
- Process protection (anti-kill and dumping)
- Bypass pe-sieve
- Thread hiding
- Thread protection (anti-kill)
- File protection (anti-deletion and overwriting)
- File hiding
- Registry keys and values protection (anti-deletion and overwriting)
- Registry keys and values hiding
- Querying currently protected processes, threads, files, registry keys and values
- Arbitrary kernel R/W
- Function patching
- Built-in AMSI bypass
- Built-in ETW patch
- Process signature (PP/PPL) modification
- Can be reflectively loaded
- Shellcode Injection
- APC
- NtCreateThreadEx
- DLL Injection
- APC
- NtCreateThreadEx
- Querying kernel callbacks
- ObCallbacks
- Process and thread creation routines
- Image loading routines
- Registry callbacks
- Removing and restoring kernel callbacks
- ETWTI tampering
Reflective loading
Since version v0.3, Nidhogg can be reflectively loaded with kdmapper but because PatchGuard will be automatically triggered if the driver registers callbacks, Nidhogg will not register any callback. Meaning, that if you are loading the driver reflectively these features will be disabled by default:
- Process protection
- Thread protection
- Registry operations
PatchGuard triggering features
These are the features known to me that will trigger PatchGuard, you can still use them at your own risk.
- Process hiding
- File protecting
Basic Usage
It has a very simple usage, just include the header and get started!
#include "Nidhogg.hpp"
int main() {
HANDLE hNidhogg = CreateFile(DRIVER_NAME, GENERIC_WRITE | GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
// ...
DWORD result = Nidhogg::ProcessUtils::NidhoggProcessProtect(pids);
// ...
}
Setup
Building the client
To compile the client, you will need to install CMake and Visual Studio 2022 installed and then just run:
cd <NIDHOGG PROJECT DIRECTORY>\Example
mkdir build
cd build
cmake ..
cmake --build .
Building the driver
To compile the project, you will need the following tools:
Clone the repository and build the driver.
Driver Testing
To test it in your testing environment run those commands with elevated cmd:
bcdedit /set testsigning on
After rebooting, create a service and run the driver:
sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhogg
Debugging
To debug the driver in your testing environment run this command with elevated cmd and reboot your computer:
bcdedit /debug on
After the reboot, you can see the debugging messages in tools such as DebugView.
Resources
- Windows Kernel Programming Book
- Kernel Structure Documentation
- Registry Keys Hiding
- Process Signatures
- NtCreateThreadEx Hotfix
Contributions
Thanks a lot to those people that contributed to this project: