After more than a year in the making it is finally out and available here: https://xintra.org/courses/11-windows-kernel-offensive-defensive-reverse-engineering :)
I will always do open source and publish papers but I've been working for a long time to create a course for people that want structured and in-depth content

I wanted to create this course to give a guided deep dive to the three main pillars anyone that practice security: reverse, offense and defense. This is why, this course putting emphasis not only on the "what" but also the "why" and "how" with everything backed by explanations and snippets from the kernel itself.

Another thing that was important to me is that on top of theoretical and practical knowledge you will receive practical tools that you can use for your research or daily work - which is why by the end of the course you will have your very own EPP (prevention & EDR) and rootkit with a bunch of cool features ready to use.

I'd like to also thank for Xintra and specifically Lina and Ty for everything and to the many people that heard my ideas along the way. My DMs are open for any question :)

After a little while (2 years), a new post - along with a new website design - is finally out:
https://idov31.github.io/posts/hypervisor-based-defense.

I wanted to start posting again, and I also wanted to share something that includes technical details about hypervisors, my thoughts on using hypervisors for defensive purposes (how it is done today and what can be done with it), and an estimated roadmap alongside the design choices behind my hypervisor, Nova.

As always, let me know what you think, and feel free to point out any inaccuracies or ask any questions you may have. I would also like to thank Matan Kotick, memN0ps, and Sina Karvandi for helping me with the project, as well as the many researchers whose amazing work in this field continues to push it forward!

After a long time, Nidhogg v2.0 has been released. The project is already four years old and has evolved drastically over the years, which led to inconsistencies and lots of bugs. See the full changes and reasoning here: https://github.com/Idov31/Nidhogg.

First, the version contains much more stable code with backward and forward compatibility and includes guardrails (e.g., MemoryGuard, IrqlGuard) and other mechanisms to aspire for 0 BSODs no matter what. So far, with the extensive tests I made, it has proven itself. Other than that, now the latest version is finally bumped from the old 22H2 to 25H2 (about time), and also enhanced pattern matching and management mechanisms.

With this version, the Nidhogg script and initial operations were discontinued due to maintainability and popularity reasons, but I added a new Nidhogg Object File (NOF) capability, which will get a lot of attention in the following versions. Not only did the kernel side enjoy the changes, but there was an almost complete refactor of the client side and a new TUI, as well as tests for every feature.

Now, I think that Nidhogg is in a much better place. Is it completely bulletproof? No, no program is. But it is written better, more stable, readable, and contains code I will enjoy building more features upon. As always, feel free to message me or submit PRs :)

If you wanted to show a party trick to your friend or just leak kernel addresses via admin privileges you can use this repository: https://github.com/Idov31/EtwLeakKernel

Since it can only leak addresses and only using administrative privileges, it isn't breaking a security boundary.

However, it might be useful for some people under certain scenarios or you'll just have a good laugh out of it as I did. Also, bare in mind that the admin privileges are required to open the user trace.

Writing it again to make it clear: THIS IS NOT A VULNERABILITY / BREAKING SECURITY BOUNDARY AND WILL NOT BE USEFUL IN 99.9% SCENARIOS.

Instead of creating a new project for each Windows kernel related PoC, I decided to do a massive change for both Nidhogg's client and driver, starting with the client (that looks like this, but still also have a command line option :) ) that will enter the dev branch very soon!

Note: By no means will I abandon NovaHypervisor, but besides completing the first version of it and adding documentation, there are many cool new projects, features and research coming up soon!

Link to the project: https://github.com/idov31/Nidhogg

I'm happy to finally release NovaHypervisor! NovaHypervisor is a defensive hypervisor with the goal of protecting AV/EDR vendors and crucial kernel structures that are currently uncovered by VBS and PatchGuard.

The main reason this project was born is due to the rise in misuse of known vulnerable drivers (BYOVD) and other kernel-based attacks. The vision for this project is to make an easily configurable open-source hypervisor to defend critical structures and key defense components and this is the very first stage of this project and it is still lacking many things, from actual configuration and built-in protection for well-known crucial kernel structures, and SAL annotation for each function.

With that being said, the project is working and able to protect key components in a user configurable way (IOCTLs at the moment), running alongside Hyper-V, logging even in high IRQLs, and built with readability, clarity while being future proof in mind.

It is a great opportunity to thank the people who helped me during the development of this project, so thanks a lot to Sinaei (https://x.com/Intel80x86)
for the amazing Hypervisor from scratch series and answering my questions, memn0ps (https://github.com/memN0ps) for answering my questions and providing good resources and Blake (https://lnkd.in/d8KxJu7B) for motivating me to continue with this project and giving good advices.

As always, feel free to reach out to me for any questions or issues you have regarding this or any of my projects, and feel free to submit PRs and issues :)

https://github.com/Idov31/NovaHypervisor

As you've noticed in the agenda of x33fcon, Nidhogg now has full integration to checkymander
's Athena and now it can be used with Mythic C2 infrastructure.

The API available here: https://github.com/Idov31/NidhoggCSharpApi

If you want to learn about this and more, make sure to watch my talk :)

After a long time, the 6th and final part of Lord Of The Ring0 is here: https://idov31.github.io/posts/lord-of-the-ring0-p6
In this part, the focus will be on kernel mode and user mode memory interaction, look into how attaching process work, and writing an AMSI bypass driver

As I wrote in the end of the post, while it is the end of the series this is merely the beginning that meant to build the foundations for much greater things, so stay tuned for in-depth research and interesting projects that will be published in the following months.

If you found any inaccuracies or have questions I encourage you to send me a message in this account or in any other way mentioned here: http://linktr.ee/idov31

P.S: I hope you like the new look of the website ;)

Today, version 1.0 of Nidhogg is released! And with that besides loads of bug fixes and new feature a unique feature that allows the user to create powerful playbooks for Nidhogg with ease :)

Feel free to check it out:
https://github.com/Idov31/NidhoggScript

It has been great journey and the reason that this version is named 1.0 and not 0.5 is because the amount of changes and improvements this version added.

You can view the release notes here: https://github.com/Idov31/Nidhogg/releases/tag/v1.0

And like always a blog post will be released soon.

#infosecurity #CyberSecurity