Idov31 Nidhogg Versions Save

Nidhogg is an all-in-one simple to use rootkit.

v1.0

3 months ago

New features:

  • Driver hiding / unhiding

  • Module hiding

  • Port hiding / unhiding

  • Query hidden ports

  • Thread unhiding

  • Credential Dumping

  • NidhoggScript Execution

  • Initial Operations (As requested in #34 )

Improvements:

  • Refactored the driver side code and improved code quality in terms of readability, simplicity and bug fixing.
  • Refactored the client side code and improved code quality in terms of readability, simplicity and bug fixing.
  • Reduced the amount of IOCTLs.
  • Added automatic allocation / deallocations.
  • Fixed memory leaks.

Misc

  • New logo
  • New wiki
  • Prints can be now turned off / on with a single #define

v0.4

1 year ago

Version 0.4 Release

New features:

  • DLL Injection

    • Via APC
    • Via NtCreateThread

  • Shellcode Injection

    • Via APC
    • Via NtCreateThread

  • Unregistering and restoring callbacks

    • ObCallbacks
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • Image Load
    • Registry callbacks

  • ETWTI tampering (disable and enable)

Improvements

  • Fixed kdmapper compatibility issues
  • Added validation for SSDT function getting
  • Added length check to registry objects
  • Increased overall stability

Misc

  • Created CMake to compile the client
  • Made driver code more efficient

v0.3

1 year ago

Version 0.3 Release

New features:

  • Driver can be reflectively loaded with kdmapper
  • PP/PPL managing
  • Protecting threads
  • Hiding threads
  • Changed method for file protection (IRP hooking)

Improvements

  • Changed memory address validation to a better way (address range check instead of the dangerous MmIsAddressValid function)
  • Added locks before accessing EPROCESS/ETHREAD structures
  • Increased overall stability

Misc

  • Changed the client code to work with namespaces instead
  • Made both the driver and client code more efficient

v0.2

1 year ago

Version 0.2 Release

New features:

  • Function patching
  • Built in AMSI & ETW bypass
  • Arbitrary R/W from the kernel

Improvements

  • Added documentation for every function
  • Added execution with partial functionality
  • Increased overall stability

Misc

  • Prettified and organized code.

v0.1

1 year ago

Version 0.1 Release

New features:

  • Anti registry key & value deletion
  • Registry key & value hiding
  • Anti overwriting value
  • Ability to query protected processes / files / registry keys & values.

Improvements

  • Fixed ObUnregisterCallbacks BSOD
  • Fixed UAC BSOD (the KERNEL_SECURITY_CHECK_FAILURE one)
  • Increased overall stability

Misc

  • Prettified and organized code.

Beta

1 year ago

Beta Release

New features:

  • Anti file deletion
  • Anti file overwritting

Improvements:

  • Fixed the hpp file
  • Fixed the example

Misc

  • Added YARA rule

Alpha

1 year ago

Alpha Release

Contains the basic capabilities:

  • Anti process killing
  • Anti process dumping
  • Pe-sieve bypass
  • Process elevation
  • Process hiding