dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,859
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,545
- Points
- 1,813
- Credits
- 55,080
7 Years of Service
56%
Nidhogg is a multi-functional rootkit to showcase the variety of operations that can be done from kernel space. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for operations. Besides that, it can also easily be integrated with your C2 framework.
Nidhogg can work on any version of x64 Windows 10 and Windows 11.
This repository contains a kernel driver with a C++ program to communicate with it.
Current Features
- Process hiding and unhiding
- Process elevation
- Process protection (anti-kill and dumping)
- Bypass pe-sieve
- Thread hiding and unhiding
- Thread protection (anti-kill)
- File protection (anti-deletion and overwriting)
- Registry keys and values protection (anti-deletion and overwriting)
- Registry keys and values hiding
- Querying currently protected processes, threads, files, hidden ports, registry keys and values
- Function patching
- Built-in AMSI bypass
- Built-in ETW patch
- Process signature (PP/PPL) modification
- Can be reflectively loaded
- Shellcode Injection
APC
- NtCreateThreadEx
[*]DLL Injection
APC
- NtCreateThreadEx
[*]Querying kernel callbacks
ObCallbacks
- Process and thread creation routines
- Image loading routines
- Registry callbacks
[*]Removing and restoring kernel callbacks
[*]ETWTI tampering
[*]Module hiding
[*]Driver hiding and unhiding
[*]Credential Dumping
[*]Port hiding/unhiding
[*]Script execution
[*]Initial operations
