Diabl0 Posted November 6, 2017 Share Posted November 6, 2017 (edited) This is a GPU Based keylogger, meaning it resides and functions on the graphic processing unit rather than the CPU. Its capable of doing this By instructing the GPU to carefully monitor ,via DMA , the physical page where the keyboard buffer resides, it thus can record all user keystrokes and store them in the memory space of the GPU. This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up It does not rely on any kernel modifications besides altering the page table, and uses a small code snippet that needs to run just once from kernel context to acquire the physical address of the keyboard buffer. This code is completely standalone, does not require any hooks or other modifications, and is completely removed after it accomplishes its task. The physical address of the keyboard buffer is then used by the GPU to monitor all user keystrokes directly via DMA, through the direction of a user-level controller process. Requirements for use: OpenCL drivers/icd's installed AMD or NVIDIA card (although AMDAPPSDK does support intel) linux kernel headers Here is a summary of what this POC does: CPU kernel module bootstrap to locate keyboard buffer via DMA in usb struct keyboard buffer gets stored in userland file kernel module deletes itself OpenCL stores that keyboard buffer inside gpu and deletes file due to evidence Thanks to team Jellyfish for this POC...all credits goes to them. Download: [HIDE-THANKS] Link: This is the hidden content, please Sign In or Sign Up [/HIDE-THANKS] Password: Pass: level23 Why is it undetectable? The answer is easy...Current malware analysis and detection systems are tailored to CPU architectures only, and therefore are ineffective against GPU-based malware Edited November 6, 2017 by Diabl0 Link to comment Share on other sites More sharing options...
Recommended Posts