-
Notifications
You must be signed in to change notification settings - Fork 279
Misc
PE-Sieve is a great memory analysis tool often used by DFIR teams to detect suspicious activity and dump processes for further investigation made by Hasherezade.
Nidhogg provides the ability to disrupt the tool's operation by trimming the PROCESS_DUP_HANDLE, PROCESS_CREATE_THREAD and PROCESS_VM_OPERATION (These permissions has been chosen to be revoked by looking at pe-sieve's code and understand its behavior) permissions from the requestor process handle via the process obcallback.
Nidhogg has the option to be loaded as a service (via the service manager or registry key) or reflectively using vulnerable driver, specifically a compatibility to kdmapper was made due to its flexibility and easy usage. Reflective loading gives the ability to load a driver in a more evasive way but it is not compatible with any feature that requires callback to run to avoid PatchGuard crash (while it is possible to bypass patchguard and run these callbacks anyway, it is not intended to be implemented in Nidhogg).
Nidhogg provides the ability to load and execute several commands in one IOCTL in a binary format generated by "NidhoggScript". This feature allows the operator to create playbooks for Nidhogg. For more usage information please look at NidhoggScript's wiki page.