From cafd93103020a03103d993bec555707866ef45dd Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 17:31:12 +0100
Subject: [PATCH 1/7] [+] A change which allows for username input

the original, only hides "root". Of course, this can be changed from  "root" to "alice" (if the user is alice, for example to **hide the user alice**). But, I wanted to make it a bit more flexible, or a bit more easy to use when compiled. So I add a input feature, where you can at the time of the LKM Insert; specify and pass a username (like, for example "alice"). I got inspiration from [EXEC-LKM](https://github.com/loneicewolf/EXEC_LKM/blob/main/LKM/lkm_exec.c)
---
 3_RootkitTechniques/3.9_hiding_logged_in_users/rootkit.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/3_RootkitTechniques/3.9_hiding_logged_in_users/rootkit.c b/3_RootkitTechniques/3.9_hiding_logged_in_users/rootkit.c
index ffeccdb..29cc4f5 100644
--- a/3_RootkitTechniques/3.9_hiding_logged_in_users/rootkit.c
+++ b/3_RootkitTechniques/3.9_hiding_logged_in_users/rootkit.c
@@ -8,7 +8,12 @@
 #include "utmp.h"
 #include "ftrace_helper.h"
 
-#define HIDDEN_USER "root"
+/*
+ * The username "root" can be a default
+ * and hard coded value.
+ */
+static char *HIDDEN_USER = "root";
+module_param(HIDDEN_USER, charp, S_IRUGO);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("TheXcellerator");

From f1ec6072e679ed77f310b4a3a4ff3db165a65502 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 17:42:48 +0100
Subject: [PATCH 2/7] [+] Adding reference 'EXEC-LKM'

[+] Adding reference 'EXEC-LKM' link to the References/Further Reading
---
 3_RootkitTechniques/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/3_RootkitTechniques/README.md b/3_RootkitTechniques/README.md
index 2fae847..6c5a902 100644
--- a/3_RootkitTechniques/README.md
+++ b/3_RootkitTechniques/README.md
@@ -15,3 +15,4 @@ As far as the function hooking goes, it's quite simple. We give a function decla
 * [Diamorphine](https://github.com/m0nad/Diamorphine)
 * [Reptile](https://github.com/f0rb1dd3n/Reptile)
 * [Ftrace](https://github.com/ilammy/ftrace-hook)
+* [EXEC-LKM](https://github.com/loneicewolf/EXEC_LKM)

From b6f7f1ece9f1fd1d75930999b42a4a19a1d04ba5 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 17:47:36 +0100
Subject: [PATCH 3/7] Update README.md to match rootkit.c's changes

Update README.md to match rootkit.c's changes to allow username input
---
 3_RootkitTechniques/3.9_hiding_logged_in_users/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md b/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
index cd3c059..f500dfa 100644
--- a/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
+++ b/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
@@ -13,6 +13,7 @@ Also included in this directory is a program called `enum_utmp`. This program wi
 To use:
 * Build with `make`
 * Load with `insmod rootkit.ko`
+  * Alternatively - one may use `insmod rootkit.ko HIDDEN_USER="some_username"` where `"some_username"` is a username to be hidden. By default, it hides the "root" user.
 * In another terminal, spawn a root shell via `sudo screen -S root_login`
 * Back in the non-root user's terminal, run `who` or `finger` and confirm that `root` does NOT appear in the list
 * Unload the module with `rmmod rootkit`

From 5b0265f292c56437bdd37433221c8fba4c789173 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 18:01:48 +0100
Subject: [PATCH 4/7] [+] Change which allows for file/folder name input

the original, only hides "boogaloo" files or directories.
this can be changed of course but; the short version is I added 2 lines to allow for inputting the `value` of `prefix` at the time of `inserting the lkm`
---
 3_RootkitTechniques/3.4_hiding_directories/rootkit.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/3_RootkitTechniques/3.4_hiding_directories/rootkit.c b/3_RootkitTechniques/3.4_hiding_directories/rootkit.c
index 6891129..da517ce 100644
--- a/3_RootkitTechniques/3.4_hiding_directories/rootkit.c
+++ b/3_RootkitTechniques/3.4_hiding_directories/rootkit.c
@@ -8,7 +8,12 @@
 
 #include "ftrace_helper.h"
 
-#define PREFIX "boogaloo"
+/*
+ * The PREFIX "boogaloo" can be a default
+ * and hard coded value.
+ */
+static char *PREFIX = "boogaloo";
+module_param(PREFIX, charp, S_IRUGO);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("TheXcellerator");

From ed6446515d6005e95830bf0d33e2adf8f17cb241 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 18:04:03 +0100
Subject: [PATCH 5/7] removed accidental '.'

---
 3_RootkitTechniques/3.9_hiding_logged_in_users/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md b/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
index f500dfa..d2b850c 100644
--- a/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
+++ b/3_RootkitTechniques/3.9_hiding_logged_in_users/README.md
@@ -13,7 +13,7 @@ Also included in this directory is a program called `enum_utmp`. This program wi
 To use:
 * Build with `make`
 * Load with `insmod rootkit.ko`
-  * Alternatively - one may use `insmod rootkit.ko HIDDEN_USER="some_username"` where `"some_username"` is a username to be hidden. By default, it hides the "root" user.
+  * Alternatively - one may use `insmod rootkit.ko HIDDEN_USER="some_username"` where `"some_username"` is a username to be hidden. By default, it hides the "root" user
 * In another terminal, spawn a root shell via `sudo screen -S root_login`
 * Back in the non-root user's terminal, run `who` or `finger` and confirm that `root` does NOT appear in the list
 * Unload the module with `rmmod rootkit`

From 00a4120d9b13bad25db72892ebe7bf49c2138430 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Thu, 26 Jan 2023 18:05:26 +0100
Subject: [PATCH 6/7] Updated readme to reflect for rootkit.c changes

---
 3_RootkitTechniques/3.4_hiding_directories/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/3_RootkitTechniques/3.4_hiding_directories/README.md b/3_RootkitTechniques/3.4_hiding_directories/README.md
index e5a9d6b..bee39d0 100644
--- a/3_RootkitTechniques/3.4_hiding_directories/README.md
+++ b/3_RootkitTechniques/3.4_hiding_directories/README.md
@@ -22,6 +22,7 @@ To use:
 * Build with `make`
 * Create a file/directory that starts with the string "boogaloo", e.g. `touch boogaloo`
 * Load with `insmod rootkit.ko`
+  * Alternatively, `insmod rootkit.ko PREFIX="hideme"` would hide files and folders starting with "hideme"
 * List the directory contents of wherever you placed the "boogaloo" file, e.g. `ls`
 * Observe that the "boogaloo" file is missing!
 * Unload with `rmmod rootkit`

From cb6c7ab2282a2d01ba31ee62eb53decab44b3b13 Mon Sep 17 00:00:00 2001
From: William Martens <68499986+loneicewolf@users.noreply.github.com>
Date: Fri, 27 Jan 2023 11:19:22 +0100
Subject: [PATCH 7/7] [-] Removed the EXEC-LKM link in the README

It was meant to only be in the description of the pull, not the actual repo. Not sure why I put it there.
---
 3_RootkitTechniques/README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/3_RootkitTechniques/README.md b/3_RootkitTechniques/README.md
index 6c5a902..2fae847 100644
--- a/3_RootkitTechniques/README.md
+++ b/3_RootkitTechniques/README.md
@@ -15,4 +15,3 @@ As far as the function hooking goes, it's quite simple. We give a function decla
 * [Diamorphine](https://github.com/m0nad/Diamorphine)
 * [Reptile](https://github.com/f0rb1dd3n/Reptile)
 * [Ftrace](https://github.com/ilammy/ftrace-hook)
-* [EXEC-LKM](https://github.com/loneicewolf/EXEC_LKM)