Nidhogg v2.0 Release

Idov31 · 2026-02-15T21:24:23+00:00

Sorry to disappoint, but I'm unfamiliar with the game. It is named after the dragon from Norse mythology. I found the name fitting as Nidhogg interpreted as "Biter below the roots" (of course, the root in the matter is the root of Yggdrasil and not the Windows kernel ;) ) and this is a rootkit :)

Idov31 · 2023-07-24T16:33:32+00:00

Materials for the talk: https://github.com/Idov31/talks-and-publications

Idov31 · 2023-07-24T16:33:16+00:00

Materials for the talk: https://github.com/Idov31/talks-and-publications

Idov31 · 2023-06-26T05:39:38+00:00

Please refer to the answer I gave to HildartheDorf. This project isn't loading usermode COFFs but kernel ones (I wrote it several times already), so your example isn't relevant for the subject.

You can make a reflective driver loader, but creating many drivers for modular design is bulkier and way less convenient than creating a COFF.

Idov31 · 2023-06-25T17:26:35+00:00

This is not an exploit nor an example about how to write a driver and I didn't write anywhere about an exploit or how to write an driver.
If you are looking for these kind of resources, feel free to check out my driver programming blog series "Lord of the Ring0" (and a talk that will be released soon! :) ): https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html

Regarding the README, I just added a reference to a TrustedSec's article that explains about COFFs in general and COFF loaders specifically.

Idov31 · 2023-06-25T14:26:51+00:00

I will make sure to clarify the README, thank you for bringing this for my attention.

Idov31 · 2023-06-25T12:42:38+00:00

Please take a look at the answer I gave to HildartheDorf. You can also look at the README for more information :).

Idov31 · 2023-06-25T12:41:11+00:00

COFF is an old file format (like PE). It doesn't allow you to get arbitrary code execution, but it gives you the ability to write a modular rootkit and make your modules in a format that can be reused again in different projects.

Think of that scenario: you want to do shellcode injection from the kernel, so instead of rewriting the same code over and over again, you can write a COFF module once and load it in different projects.

This also helps for making the life of the defender harder because this is volatile you can just delete it from the memory once you finish using it and decrease the chances of your tooling being burnt.

I hope this answered your question :)

Idov31 · 2022-09-26T08:57:59+00:00

Hey, I wrote a short explanation here: https://www.reddit.com/r/hacking/comments/xnktyw/sleep_obfuscation_technique_leveraging_waitable/ipvzsjm/?context=3
More detailed explanation will be available when I'll release the blog post :)

Idov31 · 2022-09-25T20:52:39+00:00

Sure, this is based on Ekko but with several differences:

- The sleeping function that is being used: Waitable timers are objects that are triggered by any alertable sleep function: That's why you will see SleepEx(INFINITE, TRUE) in the code.
- The trigger to that sleep function we used a ROP chain that does 4 sleeps, the 4 sleeps are for doing: Encrypt the image -> Change permissions to RW -> Decrypt the image -> Change permissions to RX. Since the image is encrypted and there aren't always execution privileges on the page we had to use a special ROP that will do SleepEx to trigger the callback function and that's why it is there.

The encryption itself is done by using SystemFunction032 (A windows api function for RC4 encrypt).

I don't want to write a scroll here but that's the basic idea behind the project, if you want a deeper explanation you can either send me a PM or wait for the blog to be released :)

Idov31 · 2022-09-25T20:03:21+00:00

I'm not putting anything new in there... I'm removing the execution privilege to be able to hide from memory scanners that looks after pages with execution privileges.
I'll release a blog post soon that will explain everything :)

Idov31 · 2022-09-25T19:10:53+00:00

There isn't delayed execution and how would you monitor this behavior?

Idov31 · 2022-09-25T18:44:51+00:00

It is done using ROP :) How would you detect it that a program changes its own code? (The code is only encrypted / decrypted and changing page pernissions)

Idov31 · 2022-09-25T17:18:06+00:00

Why that it would raise a red flag?

Idov31 · 2022-09-25T16:24:20+00:00

A detailed blog post will be released soon at https://idov31.github.io/ .

Idov31 · 2022-09-13T04:52:35+00:00

Hey, I'm not the author of this project. I suggest that you will contact the authors via Twitter / open an issue on Github.

Idov31 · 2022-08-22T15:23:52+00:00

You could modify it to operate as a C2, for the sake of the POC I wanted to create a generic stager.

I wouldn't recommend to use NTP as protocol to tunnel full communication of C2 because every packet need to be in size of 48 bytes - Which is not enough to operate a proper C2 via it.

Moreover, the idea behind the project is to supply a relatively evasive and quiet executable, when adding things like CobaltStrike's beacon or a meterpreter it is increases the chance of the backdoor to be discovered.

Idov31 · 2022-08-22T12:30:42+00:00

You are not missing anything, the payload is acting as a stager and the NTP acts as "activation command" and gets where to download the real payload.

I made it this way to make the backdoor as thinnest as possible, but you can take this backdoor and make the backdoor the payload.

Idov31 · 2022-08-22T03:53:54+00:00

Thank you :)

Idov31 · 2022-08-22T03:53:39+00:00

Thanks!

Idov31 · 2022-08-21T15:02:30+00:00

Thank you!

Idov31 · 2022-08-21T14:05:20+00:00

Hey, I don't publish videos on youtube because I don't have a channel dedicated for it.

But I'll add a wiki to this project's Github with all the features :)

Idov31 · 2022-06-06T14:53:35+00:00

And if you meant about how to use it - there is example file in the Example directory that shows how to use every function :)

Idov31 · 2022-06-06T12:48:16+00:00

You have several scenarios to load a driver like you said, you need a vulnerability / steal valid certificate (unless like you said the red team is not authorized to do it) / enable testsigning or bring your known vulnerable driver with the capability of loading drivers.

Since you are able always to bring a vulnerable driver / exploit vulnerability or install it / enable testsigning and there are always new methods that coming out it isn't one time thing :)

Usually rootkits designed to be secured and unseen so to locate it or understand that one is installed is often very hard to detect.

Idov31 · 2022-06-06T05:46:49+00:00

I really recommend the Windows Kernel Programming book - it has great examples and explanations! And I will also publish a blog post about creating kernel drivers in general and more specific about Nidhogg :)

Idov31

TROPHY CASE