// Windows Kernel Rootkit Masterclass
An all-in-one Windows kernel rootkit for red teams: process hiding via DKOM, file and registry protection through IRP/callback hooking, ETW provider blinding, kernel callback manipulation, and memory scanner evasion. Communicates via IOCTL from a user-mode C++ client. By Idov31.
Ring 0 vs ring 3 privilege, why kernel access is the ultimate evasion primitive, driver signing requirements, and Driver Signature Enforcement (DSE).
02 BeginnerDriverEntry, IRP dispatch routines, IOCTL communication, device objects, symbolic links, and driver loading with sc.exe and kdmapper.
03 BeginnerEPROCESS and ETHREAD structures, ActiveProcessLinks, Direct Kernel Object Manipulation (DKOM) for process hiding, and PID protection.
04 IntermediateIRP_MJ_CREATE hooking for file protection, CmRegisterCallbackEx for registry callbacks, pre/post operation callbacks, and access denial.
05 IntermediateETW architecture internals, GuidEntry manipulation, disabling trace providers from kernel mode, and blinding EDR telemetry sources.
06 IntermediatePsSetCreateProcessNotifyRoutine, ObRegisterCallbacks, image load notifications, removing EDR callback registrations from kernel arrays.
07 AdvancedDefeating pe-sieve, hiding memory regions via VAD manipulation, PTE-level tricks, and preventing user-mode tools from inspecting protected processes.
08 AdvancedComplete Nidhogg architecture, the NidhoggClient user-mode tool, IOCTL command dispatch table, detection via driver verification, and PatchGuard/KPP.
github.com/Idov31/Nidhoggidov31.github.io (Lord Of The Ring0 series)Russinovich, Solomon, Ionescu — Microsoft Pressgithub.com/Idov31/Cronos (same author, earlier project)github.com/TheCruZ/kdmapper (vulnerable driver mapper)learn.microsoft.com/en-us/windows-hardware/drivers