Home
This wiki created to document and help people to use Nidhogg properly, explain each and every feature for easier usage.
Nidhogg is multi functional rootkit that contains 24 different features - while each feature provides different capability to hide and protect your agent, tamper with security products and give powerful complementary persistence for your existing frameworks.
Nidhogg was built primarily for giving inspiration to others but over the year it grew bigger and its interface changed several times. Nidhogg contains all of its feature in one driver and can be communicated over IOCTLs just like implemented in the given client. The features can be divided into three categories:
- Continuous Operation: A feature that runs in the background consistently (for example: object / registry callbacks).
- Semi Continuous Operation: A feature that isn't running when the driver is loaded but since "triggered" (user sent a certain request) it will be running until stopped on driver unloading or canceled by the user (for example: IRP hooking).
- Immediate Operation: Operation that has short lifespan and return immediate response (for example: Disabling ETWTI).