10 Years of Service
46%
This is a GPU Based keylogger, meaning it resides and functions on the graphic processing unit rather than the CPU.
Its capable of doing this By instructing the GPU to carefully monitor ,via DMA , the physical page where the keyboard buffer resides,
it thus can record all user keystrokes and store them in the memory space of the GPU.
It does not rely on any kernel modifications besides altering the page table, and uses a small code snippet that needs to run just once from kernel context to acquire the physical address of the keyboard buffer.
This code is completely standalone, does not require any hooks or other modifications, and is completely removed after it accomplishes its task.
The physical address of the keyboard buffer is then used by the GPU to monitor all user keystrokes directly via DMA, through the direction of a user-level controller process.
Requirements for use:
Here is a summary of what this POC does:
Thanks to team Jellyfish for this POC...all credits goes to them.
Download:
[HIDE-THANKS]
Link:
[/HIDE-THANKS]
Password:
Pass: level23
Why is it undetectable?
The answer is easy...Current malware analysis and detection systems are tailored to CPU architectures only, and therefore are ineffective against GPU-based malware
Its capable of doing this By instructing the GPU to carefully monitor ,via DMA , the physical page where the keyboard buffer resides,
it thus can record all user keystrokes and store them in the memory space of the GPU.
It does not rely on any kernel modifications besides altering the page table, and uses a small code snippet that needs to run just once from kernel context to acquire the physical address of the keyboard buffer.
This code is completely standalone, does not require any hooks or other modifications, and is completely removed after it accomplishes its task.
The physical address of the keyboard buffer is then used by the GPU to monitor all user keystrokes directly via DMA, through the direction of a user-level controller process.
Requirements for use:
- OpenCL drivers/icd's installed
- AMD or NVIDIA card (although AMDAPPSDK does support intel)
- linux kernel headers
Here is a summary of what this POC does:
- CPU kernel module bootstrap to locate keyboard buffer via DMA in usb struct
- keyboard buffer gets stored in userland file
- kernel module deletes itself
- OpenCL stores that keyboard buffer inside gpu and deletes file due to evidence
Thanks to team Jellyfish for this POC...all credits goes to them.
Download:
[HIDE-THANKS]
Link:
This link is hidden for visitors. Please Log in or register now.
[/HIDE-THANKS]
Password:
Pass: level23
The answer is easy...Current malware analysis and detection systems are tailored to CPU architectures only, and therefore are ineffective against GPU-based malware
Last edited by a moderator: