Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy-to-use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your C2 framework via a single header file with simple usage, you can see an example here.

Nidhogg can work on any version of Windows 10 and Windows 11.

This repository contains a kernel driver with a C++ header to communicate with it.

NOTE: Some functionality might trigger PatchGuard, use it at your own risk!

• Process hiding
• Process elevation
• Anti process kill
• Anti process dumping
• Bypass pe-sieve
• Anti file deletion
• Anti file overwriting
• Registry keys and values anti deletion
• Registry keys and values hiding
• Registry keys and values anti overwriting
• Querying currently protected processes, files and registry keys & values
• Arbitrary R/W
• Function patching
• Built-in AMSI bypass
• Built-in ETW patch

It has a very simple usage, just include the header and get started!

#include "Nidhogg.hpp"

int main() {
    // ...
    DWORD result = NidhoggProcessProtect(pids);
    // ...
}

To compile the project, you will need the following tools:

• Visual Studio 2019
• Windows Driver Kit

Clone the repository and build the driver.

To test it in your testing environment run those commands with elevated cmd:

bcdedit /set testsigning on

After rebooting, create a service and run the driver:

sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhogg

To debug the driver in your testing environment run this command with elevated cmd and reboot your computer:

bcdedit /debug on

After the reboot, you can see the debugging messages in tools such as DebugView.

• Windows Kernel Programming Book
• Kernel Structure Documentation
• Process Hiding
• Process Elevation
• Registry Keys Hiding

Thanks a lot to those people that contributed to this project:

• BlackOfWorld