Demon - A Stealthy GPU-based Keylogger Poc.

Demon – A Stealthy GPU-based Keylogger Poc.

GPU-BASED KEYLOGGING is A GPU-assisted malware binary contains code destined to run on different processors. Upon execution, the malware loads the device-specific code on the GPU, allocates a memory area accessible by both the CPU and the GPU, initializes it with any shared data, and schedules the execution of the GPU code. Depending on the design, the flow of control can either switch back and forth between the CPU and the GPU, or separate tasks can run in parallel on both processors.

A major advantage for malware authors is that the majority of current video card manufacturers, representing about 99% of the worldwide graphics cards market share [5], do provide support for GPGPU computations. Consequently, GPU-based malware can have a large infection ratio without being inhibited by unsupported graphics processors. In addition, the execution of GPU code and data transfers between the host and the device do not require any adminis-trator privileges. In other words, depending on its purpose, GPU-assisted malware can run successfully even under user privileges, making it more robust and work with 5 Figure:
1.Temporary and permanent components of the keylogger. Gray denotes bootstrapping operations, while black denotes monitoring functions.

A Stealthy GPU-based Keylogger

A Stealthy GPU-based Keylogger

2.Fields of interest in the USB Request Block (URB) structure.
3.Pseudocode for locating the keyboard buffer. Whenever the condition of the if-statement is true, a potential URB structure of interest has been found. We verify whether a matching structure corresponds to the keyboard device by checking if the content of the transfer_buffer field conforms to the appropriate format, i.e., contains valid keystroke values.
4.CPU utilization of the keylogger for different GPU kernel invocation intervals.
5.Execution times for low-end (GT630) and high-end (GTX480) graphics cards, when extracting credit card numbers (using the regular expressions of Table 1) for different captured data sizes.

Quick Intoduction paper :
Download :  | Clone Url
Source :