July 17
Nidhogg
Nidhogg - это многофункциональный руткит, демонстрирующий разнообразие операций, которые можно выполнять из пространства ядра. Цель Nidhogg - предоставить универсальный и простой в использовании руткит с множеством полезных функций для выполнения операций.
Process hiding and unhiding
Process elevation
Process protection (anti-kill and dumping)
Bypass pe-sieve
Thread hiding and unhiding
Thread protection (anti-kill)
File protection (anti-deletion and overwriting)
Registry keys and values protection (anti-deletion and overwriting)
Registry keys and values hiding
Querying currently protected processes, threads, files, hidden ports, registry keys and values
Function patching
Built-in AMSI bypass
Built-in ETW patch
Process signature (PP/PPL) modification
Can be reflectively loaded
Shellcode Injection
APC
NtCreateThreadEx
DLL Injection
APC
NtCreateThreadEx
Querying kernel callbacks
ObCallbacks
Process and thread creation routines
Image loading routines
Registry callbacks
Removing and restoring kernel callbacks
ETWTI tampering
Module hiding
Driver hiding and unhiding
Credential Dumping
Port hiding/unhiding
Script execution
Initial operations