Skip to content

FluffyPancakes/Demon

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
demon
demon
 
 
module_scan
module_scan
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
init.sh
init.sh
 
 

Repository files navigation

Quick proof of concept for http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

Objective:

  • Undetection. Our jellyfish rootkit utilized a common LD_PRELOAD technique to hide in userland. For Demon we're going with code injection.

Requirements for use:

  • OpenCL drivers/icd's installed
  • AMD or NVIDIA card (although AMDAPPSDK does support intel)
  • linux kernel headers

Details on what this PoC does:

  • CPU kernel module bootstrap to locate keyboard buffer via DMA in usb struct
  • keyboard buffer gets stored in userland file
  • kernel module deletes itself
  • OpenCL stores that keyboard buffer inside gpu and deletes file due to evidence

Our thoughts:

  • We personally feel the use of a kernel module is loud, but in the beginning stages of our research work, we googled around and looked for "theories" on gpu malware documented by *.edu's, and wanted to turn those theories into reality. This was how we interpreted the eurosec 2013 research paper.

Disclaimer:

  • We are not associated with the creators of this paper. We only PoC'd what was described in it, plus a little more.

Heads up:

  • Windows GPU remote access tool (RAT) PoC official release @ /WIN_JELLY
  • Working on PoC for Mac OS X @ /MAC_JELLY

About

GPU keylogger PoC by Team Jellyfish

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 87.1%
  • Makefile 9.5%
  • Shell 3.4%