Cyber security

Jormungandr – Unveiling The Kernel Power Of COFF Loading

Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.

The only supported type of COFF is an x64 kernel COFF (meaning a COFF that uses functions from either NTOSKRNL or SSDT).

This project is not supported to run with VBS enabled because it is using pools with execute permissions but this project should work for any version of Windows starting from Windows 7.

If you are unfamiliar with COFF and COFF loading, please refer to TrustedSec’s blog post about COFF loaders.

Basic Usage

To communicate with the driver, you can use and compile the example file with CMake. This is an example of the most basic usage:

int main() {
    HANDLE hDrv = CreateFile(DRIVER_NAME, GENERIC_WRITE | GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);

    // ...

    BOOL result = WriteFile(hDrv, &data, sizeof(data), &bytesWritten, NULL);

    // ...
}

To run and execute the existing example, all you have to do is create your own COFF or use the example:

JormungandrExample.exe example.out

Writing kernel COFFs

To write a kernel COFF, create a new C file and import the functions you want as follows:

DECLSPEC_IMPORT <FUNCTION_RETURN_TYPE> __cdecl <LIBRARY>$<FUNCTION_NAME>(<PARAMETERS>);

Replace the <FUNCTION_RETURN_TYPE> with the return type of the function you want, the <LIBRARY> can be either ntoskrnl or ntdll the rest is the signature of the function. After the function is imported, you can use it the way you are used to writing code.

To build the COFF, use the following command:

x86_64-w64-mingw32-gcc -c example.c -o example.out

Setup

Building the client

To compile the client, you will need to install CMake and Visual Studio 2022 installed and then just run:

cd <JORMUNGANDR PROJECT DIRECTORY>/Example
mkdir build
cd build
cmake ..
cmake --build .

Building the driver

To compile the project, you will need the following tools:

Clone the repository and build the driver.

Testing

To test it in your testing environment run those commands with elevated cmd:

bcdedit /set testsigning on

After rebooting, create a service and run the driver:

sc create nidhogg type= kernel binPath= C:\Path\To\Driver\Nidhogg.sys
sc start nidhogg

Debugging

To debug the driver in your testing environment run this command with elevated cmd and reboot your computer:

bcdedit /debug on

After the reboot, you can see the debugging messages in tools such as DebugView.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

WhatsMyName App – Find Anyone Across 640+ Platforms

Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…

5 days ago

Analyzing Directory Size Linux Tools Explained

Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…

5 days ago

Understanding Disk Usage with du Command

Efficient disk space management is vital in Linux, especially for system administrators who manage servers…

5 days ago

How to Check Directory Size in Linux

Knowing how to check directory sizes in Linux is essential for managing disk space and…

5 days ago

Essential Commands for Linux User Listing

Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…

5 days ago

Command-Line Techniques for Listing Linux Users

Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…

6 days ago