Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your C2 framework via a single header file with simple usage, you can see an example here.
Nidhogg can work on any version of Windows 10 and Windows 11.
This repository contains a kernel driver with a C++ header to communicate with it.
NOTE: Some functionality might trigger PatchGuard, use it at your own risk!
- Process hiding
- Process elevation
- Anti process kill
- Anti process dumping
- Bypass pe-sieve
- Anti file deletion
- Anti file overwriting
- Registry keys and values anti deletion
- Registry keys and values hiding
- Registry keys and values anti overwriting
- Querying currently protected processes, files and registry keys & values
- Arbitrary R/W
- Function patching
- Built-in AMSI bypass
- Built-in ETW patch
It has a very simple usage, just include the header and get started!
#include "Nidhogg.hpp"
int main() {
// ...
DWORD result = NidhoggProcessProtect(pids);
// ...
}To compile the project, you will need the following tools:
Clone the repository and build the driver.
To test it in your testing environment run those commands with elevated cmd:
bcdedit /set testsigning onAfter rebooting, create a service and run the driver:
sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhoggTo debug the driver in your testing environment run this command with elevated cmd and reboot your computer:
bcdedit /debug onAfter the reboot, you can see the debugging messages in tools such as DebugView.
- Windows Kernel Programming Book
- Kernel Structure Documentation
- Process Hiding
- Process Elevation
- Registry Keys Hiding
Thanks a lot to those people that contributed to this project: