Nidhogg

Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy to use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your own C2 framework via single header file with simple usage, you can see an example here.

Nidhogg can work on any version of Windows 10 and Windows 11.

This repository contains a kernel driver with C++ header to communicate with it.

NOTE: Some functionality might trigger PatchGuard, use it on your own risk!

Current Features

• Process hiding
• Process elevation
• Anti process kill
• Anti process dumping
• Bypass pe-sieve
• Anti file deletion
• Anti file overwritting
• Registry keys and values anti deletion
• Registry keys and values hiding
• Registry keys and values anti overwritting
• Querying currently protected processes, files and registry keys & values

Basic Usage

It has a very simple usage, just include the header and get started!

#include "Nidhogg.hpp"

int main() {
    // ...
    DWORD result = NidhoggProcessProtect(pids);
    // ...
}

Setup

Building

To compile the project, you will need the following tools:

• Visual Studio 2019
• Windows Driver Kit

Clone the repository and build the driver.

Driver Testing

To test it in your testing environment run those commands with elevated cmd:

bcdedit /set testsigning on

After rebooting, create a service and run the driver:

sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhogg

Resources

• Windows Kernel Programming Book
• Kernel Structure Documentation
• Process Hiding
• Process Elevation
• Registry Keys Hiding

Contributions

I'll happily accept contribution, make a pull request and I will review it!