Initial commit

Author: franckferman

.github/workflows/ci.yml

@@ -0,0 +1,54 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo build --release
+      - run: cargo test
+      - name: Verify binary
+        run: ./target/release/hidemylogs --version
+
+  release:
+    name: Release binaries
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-gnu
+            name: hidemylogs-linux-x86_64
+          - target: x86_64-unknown-linux-musl
+            name: hidemylogs-linux-x86_64-musl
+          - target: aarch64-unknown-linux-gnu
+            name: hidemylogs-linux-aarch64
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+      - name: Install cross-compilation tools
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        run: sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu
+      - name: Install musl tools
+        if: matrix.target == 'x86_64-unknown-linux-musl'
+        run: sudo apt-get update && sudo apt-get install -y musl-tools
+      - name: Build
+        run: cargo build --release --target ${{ matrix.target }}
+        env:
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.name }}
+          path: target/${{ matrix.target }}/release/hidemylogs

.gitignore

@@ -0,0 +1,8 @@
+/target
+Cargo.lock
+*.swp
+*~
+.DS_Store
+Thumbs.db
+.vscode/
+.idea/

Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "hidemylogs"
+version = "1.0.0"
+edition = "2021"
+authors = ["Franck FERMAN <franckferman@users.noreply.github.com>"]
+description = "Surgical *nix log cleaner - selectively erase access records from lastlog, wtmp, btmp, and utmp while preserving file metadata"
+license = "AGPL-3.0"
+repository = "https://github.com/franckferman/hidemylogs"
+keywords = ["security", "forensics", "red-team", "post-exploitation", "logs"]
+categories = ["command-line-utilities"]
+
+[dependencies]
+clap = { version = "4", features = ["derive"] }
+chrono = "0.4"
+colored = "2"
+filetime = "0.2"
+
+[profile.release]
+opt-level = "z"
+lto = true
+strip = true
+panic = "abort"

LICENSE

@@ -0,0 +1,122 @@
+<div align="center">
+
+# hidemylogs
+
+**Surgical \*nix log cleaner** - selectively erase access records from lastlog, wtmp, btmp, and utmp while preserving file metadata.
+
+![](https://img.shields.io/badge/Language-Rust-CE422B?style=flat-square&logo=rust&logoColor=white)
+![](https://img.shields.io/badge/Dependencies-3-green?style=flat-square)
+![](https://img.shields.io/badge/Binary-602_KB-blue?style=flat-square)
+![](https://img.shields.io/badge/License-AGPL--3.0-blue?style=flat-square)
+
+</div>
+
+---
+
+## Overview
+
+hidemylogs is a modern Rust rewrite of [hidemyass](https://github.com/evilpan/hidemyass) (2016). It removes individual log records from Linux authentication databases without deleting the entire file, preserving file permissions, ownership, and timestamps.
+
+Three subcommands:
+- **`print`** - Read and display records from utmp, wtmp, btmp, and lastlog
+- **`wipe`** - Remove records matching a username or IP filter
+- **`forge`** - Overwrite a lastlog record with a fake timestamp, terminal, and host
+
+All operations support `--dry-run` to preview changes without modifying files.
+
+---
+
+## Build
+
+```bash
+git clone https://github.com/franckferman/hidemylogs.git
+cd hidemylogs
+cargo build --release
+```
+
+Binary: `target/release/hidemylogs` (~600 KB, statically optimized).
+
+---
+
+## Usage
+
+### Print all records
+
+```bash
+# All sources (utmp + wtmp + btmp + lastlog)
+sudo ./hidemylogs print
+
+# Only wtmp and lastlog
+sudo ./hidemylogs print -s wl
+
+# Custom paths
+./hidemylogs print -w /path/to/wtmp -l /path/to/lastlog -s wl
+```
+
+### Wipe by IP
+
+```bash
+# Dry run first
+sudo ./hidemylogs wipe -a 185.220.101.34 --dry-run
+
+# Execute
+sudo ./hidemylogs wipe -a 185.220.101.34
+
+# Wipe only from wtmp and btmp
+sudo ./hidemylogs wipe -a 185.220.101.34 -s wb
+```
+
+### Wipe by username
+
+```bash
+sudo ./hidemylogs wipe -n root --dry-run
+sudo ./hidemylogs wipe -n root
+```
+
+### Forge a lastlog entry
+
+```bash
+# Fake root's last login
+sudo ./hidemylogs forge --uid 0 -t "2026-03-15 09:30:00" --line pts/0 --host 10.0.1.50
+
+# Dry run
+sudo ./hidemylogs forge --uid 0 -t "2026-03-15 09:30:00" --dry-run
+```
+
+---
+
+## Comparison with hidemyass
+
+| Feature | hidemyass (2016) | hidemylogs |
+|---|---|---|
+| Language | C | Rust |
+| Memory safety | Manual | Guaranteed |
+| Subcommands | Flags only | `print`, `wipe`, `forge` |
+| Dry run | No | `--dry-run` on all operations |
+| Source selection | `-uwbl` flags | `-s uwbl` combined flag |
+| Lastlog forge | Timestamp only | Timestamp + terminal + host |
+| File metadata | Preserved | Preserved |
+| Binary size | ~20 KB | ~600 KB |
+
+---
+
+## Defensive context
+
+This tool exists to demonstrate what attackers can do post-exploitation. For defenders:
+
+- **Remote log forwarding** (rsyslog, syslog-ng) is the only reliable defense - logs shipped off-box in real time cannot be retroactively deleted
+- **File integrity monitoring** (AIDE, Tripwire) detects modifications to log files
+- **Cross-source correlation** reveals discrepancies when one source is tampered but not others
+- See [LastLog-Audit](https://github.com/franckferman/LastLog-Audit) for the detection side
+
+---
+
+## Legal Disclaimer
+
+This tool is provided for **authorized security assessments, red team engagements, and educational purposes only**. Unauthorized modification of system logs is illegal. You are solely responsible for your use of this tool.
+
+---
+
+## License
+
+AGPL-3.0. See [LICENSE](LICENSE).

README.md

@@ -0,0 +1,84 @@
+/// Display and formatting utilities.
+
+use colored::Colorize;
+use crate::utmp::UtmpRecord;
+use crate::lastlog::LastlogRecord;
+
+pub fn print_banner() {
+    let banner = r#"
+ _     _     _                       _
+| |__ (_) __| | ___ _ __ ___  _   _| | ___   __ _ ___
+| '_ \| |/ _` |/ _ \ '_ ` _ \| | | | |/ _ \ / _` / __|
+| | | | | (_| |  __/ | | | | | |_| | | (_) | (_| \__ \
+|_| |_|_|\__,_|\___|_| |_| |_|\__, |_|\___/ \__, |___/
+                               |___/         |___/
+"#;
+    println!("{}", banner.red());
+}
+
+pub fn print_utmp_records(records: &[UtmpRecord]) {
+    println!(
+        "{:<16} {:<14} {:<24} {:<22} {:<8} {}",
+        "Username".bold(),
+        "Terminal".bold(),
+        "From".bold(),
+        "Timestamp".bold(),
+        "Type".bold(),
+        "PID".bold()
+    );
+    println!("{}", "-".repeat(96));
+
+    for rec in records {
+        if !rec.is_login() {
+            continue;
+        }
+
+        let type_colored = match rec.ut_type() {
+            super::utmp::UT_USER_PROCESS => rec.type_str().green(),
+            super::utmp::UT_DEAD_PROCESS => rec.type_str().dimmed(),
+            _ => rec.type_str().normal(),
+        };
+
+        println!(
+            "{:<16} {:<14} {:<24} {:<22} {:<8} {}",
+            rec.user(),
+            rec.line(),
+            rec.host(),
+            rec.timestamp(),
+            type_colored,
+            rec.pid()
+        );
+    }
+}
+
+pub fn print_lastlog_records(records: &[LastlogRecord]) {
+    println!(
+        "{:<8} {:<14} {:<24} {}",
+        "UID".bold(),
+        "Terminal".bold(),
+        "From".bold(),
+        "Last Login".bold()
+    );
+    println!("{}", "-".repeat(70));
+
+    for rec in records {
+        if rec.is_empty() {
+            continue;
+        }
+        println!(
+            "{:<8} {:<14} {:<24} {}",
+            rec.uid,
+            rec.line(),
+            rec.host(),
+            rec.timestamp_str()
+        );
+    }
+}
+
+pub fn print_wipe_result(count: usize, source: &str) {
+    if count > 0 {
+        println!("{} {} record(s) wiped from {}", "[+]".green(), count, source);
+    } else {
+        println!("{} No matching records found in {}", "[*]".yellow(), source);
+    }
+}

src/display.rs

@@ -0,0 +1,96 @@
+/// lastlog binary record handling.
+///
+/// struct lastlog:
+///   ll_time: u32    (4 bytes)  - timestamp
+///   ll_line: [u8; 32]          - terminal
+///   ll_host: [u8; 256]         - hostname/IP
+///   Total: 292 bytes
+///
+/// Indexed by UID: record for UID N starts at offset N * 292.
+
+use std::fs;
+use std::io::{self, Write, Seek, SeekFrom};
+
+pub const LASTLOG_RECORD_SIZE: usize = 292;
+
+#[derive(Debug, Clone)]
+pub struct LastlogRecord {
+    pub uid: u32,
+    pub raw: [u8; LASTLOG_RECORD_SIZE],
+}
+
+impl LastlogRecord {
+    pub fn timestamp(&self) -> u32 {
+        u32::from_le_bytes([self.raw[0], self.raw[1], self.raw[2], self.raw[3]])
+    }
+
+    pub fn line(&self) -> String {
+        extract_string(&self.raw[4..36])
+    }
+
+    pub fn host(&self) -> String {
+        extract_string(&self.raw[36..292])
+    }
+
+    pub fn timestamp_str(&self) -> String {
+        let ts = self.timestamp() as i64;
+        if ts == 0 {
+            return "never".to_string();
+        }
+        chrono::DateTime::from_timestamp(ts, 0)
+            .map(|dt| dt.format("%Y-%m-%d %H:%M:%S").to_string())
+            .unwrap_or_else(|| format!("{}", ts))
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.timestamp() == 0
+    }
+
+    /// Zero the entire record (wipe login evidence for this UID).
+    pub fn wipe(&mut self) {
+        for b in &mut self.raw { *b = 0; }
+    }
+
+    /// Overwrite with a fake timestamp, terminal, and host.
+    pub fn forge(&mut self, timestamp: u32, line: &str, host: &str) {
+        self.wipe();
+        let ts_bytes = timestamp.to_le_bytes();
+        self.raw[0..4].copy_from_slice(&ts_bytes);
+
+        let line_bytes = line.as_bytes();
+        let len = line_bytes.len().min(31);
+        self.raw[4..4 + len].copy_from_slice(&line_bytes[..len]);
+
+        let host_bytes = host.as_bytes();
+        let len = host_bytes.len().min(255);
+        self.raw[36..36 + len].copy_from_slice(&host_bytes[..len]);
+    }
+}
+
+fn extract_string(bytes: &[u8]) -> String {
+    let end = bytes.iter().position(|&b| b == 0).unwrap_or(bytes.len());
+    String::from_utf8_lossy(&bytes[..end]).to_string()
+}
+
+/// Read all non-empty lastlog records.
+pub fn read_records(path: &str) -> io::Result<Vec<LastlogRecord>> {
+    let data = fs::read(path)?;
+    let mut records = Vec::new();
+
+    for (uid, chunk) in data.chunks_exact(LASTLOG_RECORD_SIZE).enumerate() {
+        let mut raw = [0u8; LASTLOG_RECORD_SIZE];
+        raw.copy_from_slice(chunk);
+        records.push(LastlogRecord { uid: uid as u32, raw });
+    }
+
+    Ok(records)
+}
+
+/// Write a single record at the correct UID offset.
+pub fn write_record_at_uid(path: &str, uid: u32, record: &LastlogRecord) -> io::Result<()> {
+    let offset = (uid as u64) * (LASTLOG_RECORD_SIZE as u64);
+    let mut file = fs::OpenOptions::new().write(true).open(path)?;
+    file.seek(SeekFrom::Start(offset))?;
+    file.write_all(&record.raw)?;
+    Ok(())
+}