Quick proof of concept for http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

Objective:

• Undetection. Our jellyfish rootkit utilized a common LD_PRELOAD technique to hide in userland. For Demon we're going with code injection.

Requirements for use:

• OpenCL drivers/icd's installed
• AMD or NVIDIA card (although AMDAPPSDK does support intel)
• linux kernel headers

Details on what this PoC does:

• CPU kernel module bootstrap to locate keyboard buffer via DMA in usb struct
• keyboard buffer gets stored in userland file
• kernel module deletes itself
• OpenCL stores that keyboard buffer inside gpu and deletes file due to evidence

Our thoughts:

• We personally feel the use of a kernel module is loud, but in the beginning stages of our research work, we googled around and looked for "theories" on gpu malware documented by *.edu's, and wanted to turn those theories into reality. This was how we interpreted the eurosec 2013 research paper.

Disclaimer:

• We are not associated with the creators of this paper. We only PoC'd what was described in it, plus a little more.

Heads up:

• Windows GPU remote access tool (RAT) PoC official release @ /WIN_JELLY
• Working on PoC for Mac OS X @ /MAC_JELLY