/Demon

GPU keylogger PoC by Team Jellyfish

Primary LanguageCGNU General Public License v2.0GPL-2.0

Quick proof of concept for http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

Objective:

  • Undetection. Our jellyfish rootkit utilized a common LD_PRELOAD technique to hide in userland. For Demon we're going with code injection.

Requirements for use:

  • OpenCL drivers/icd's installed
  • AMD or NVIDIA card (although AMDAPPSDK does support intel)
  • linux kernel headers

Details on what this PoC does:

  • CPU kernel module bootstrap to locate keyboard buffer via DMA in usb struct
  • keyboard buffer gets stored in userland file
  • kernel module deletes itself
  • OpenCL stores that keyboard buffer inside gpu and deletes file due to evidence

Our thoughts:

  • We personally feel the use of a kernel module is loud, but in the beginning stages of our research work, we googled around and looked for "theories" on gpu malware documented by *.edu's, and wanted to turn those theories into reality. This was how we interpreted the eurosec 2013 research paper.

Disclaimer:

  • We are not associated with the creators of this paper. We only PoC'd what was described in it, plus a little more.

Heads up:

  • Windows GPU remote access tool (RAT) PoC official release @ /WIN_JELLY
  • Working on PoC for Mac OS X @ /MAC_JELLY