PowerPoint Presentation - PDF 무료 다운로드

GPU-based Keylogger Jihwan yoon 131ackcon@gmail.com

Index Who am I Keylogger, GPU GPU based Keylogging - Locating the keyboard buffer - Capturing KEYSTROKES Demo

About me

Who am I 윤지환 CERT-IS reader BOB 3 rd Interested in - System Hacking - bug-hunting http://blog.xchgespebp.kr 131ackcon@gmail.com

Who am I Project 2012. 12 2013. 08 2014. 09 2015. 08

2013 : 논문공개 (You Can Type, but You Can t Hide: A Stealthy GPU-based Keylogger) 2015 : POC 공개 (GPU rootkit & GPU keylogger)

공개된 POC 는실행 X, 문법 X 진짜개념만증명한코드, 작성하다가만코드 ( 물론공개안된부분도있을듯 ) 처음부터다키로거를제작하는것이빠르다.

Keylogger

Keylogger 사용자의입력을훔쳐보는프로그램 탐지될가능성이크다. 1. Software keylogger 1) User-level - API(GetAsyncKeyState ) 2) Kernel-level - SYSCALL, Driver Functions 2. Hardware keylogger - BIOS-level, firmware, wireless sniffers, device plugged inline

GPU

GPU(Graphics Processing Unit) 2D 핸들링, 3D 그래픽랜더링에사용되며, CPU 의부담을줄여준다. 전용그래픽카드, 통합그래픽솔루션, 내장그래픽, 가속처리장치 Graphics API : OpenCL, CUDA. DirectX

CPU vs GPU Architecture Control ALU ALU ALU ALU Cache DRAM DRAM CPU GPU

CPU vs GPU Architecture

GPU based Keylogging

< 요구사항 > Nvidia 나 AMD 그래픽카드 (Intel 이 AMD 의 SDK 지원 ) <Component> Host Process -> 키보드버퍼의주소를메인메모리에위치시키는작업 (page table 변조 ) GPU -> DMA 를통해키보드버퍼를모니터링

GPU Code Kernel Module 4. 키로거시작 3. 페이지테이블엔트리조작 2. 페이지스캔 Controller Process 1. 버퍼할당 Scanner 모니터링 부트스트랩조작

GPU Code Kernel Module 4. 키로거시작 3. 페이지테이블엔트리조작 2. 페이지스캔 Controller Process 1. 버퍼할당 Scanner Locating the keyboard buffer(1,2) 모니터링 부트스트랩조작

GPU Code Kernel Module 4. 키로거시작 3. 페이지테이블엔트리조작 2. 페이지스캔 Controller Process 1. 버퍼할당 Scanner Capturing Keystrokes(3,4) 모니터링 부트스트랩조작

1. Locating the Keyboard buffer Target : USB type keyboard 키보드버퍼는 URB(USB Request Block) 멤버변수인 transfer_buffer 에저장 키보드버퍼를찾기위해메모리스캔하는 LKM(Loadable Kernel Module) 구현

1. Locating the Keyboard buffer URB(usb request block) in linux/usb.h

1. Locating the Keyboard buffer struct usb_device *dev void *transfer_buffer dma_addr_t *transfer_dma u32 *transfer_buffer_length URB(usb request block) in linux/usb.h

1. Locating the Keyboard buffer USB Device Structure - 0x400 boundary transfer_dma - 0x20 boundary Product field - (USB type : "usb" && "keyboard ) (wireless type : "usb" && "reciever ) transfer_buffer_length - 8byte transfer_buffer - Scan code값저장 ( 입력없을경우 null)

2. Capturing Keystrokes Modifier keys (Shift, Alt, Ctrl) Raw Scan Codes urbp->transfer_buffer Buffer[0] Modifier keys(shift, Alt, Ctrl), Buffer[1] no special use, Buffer[2] ~ buffer[5] Raw Scan Code Key Pressed : 다음입력이이루어질때까지남아있는다. Error state : Buffer[0] ~ [1] 은 1, 나머지는 0 으로채워진다.

2. Capturing Keystrokes Allocate Modification Page Table 1) Monitoring 2) Release the memory GPU CPU NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor Virtual Page Table Original Page table Physical Original Keyboard buffer NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor Virtual Page Table Keyboard buffer Physical Original Keyboard buffer NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor Virtual Page Table Keyboard buffer Physical Keyboard buffer GPU cudahostgetdevicepointer( 0x40000000, ~~~) NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor Virtual Page Table Keyboard buffer Physical Keyboard buffer cudahostgetdevicepointer( 0x40000000, ~~~) GPU Page-locked Keyboard buffer NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor munmap() Virtual Page Table Keyboard buffer Physical Keyboard buffer cudahostgetdevicepointer( 0x40000000, ~~~) GPU Page-locked Keyboard buffer NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes Host Processor Physical Keyboard buffer Communication GPU Page-locked Keyboard buffer NVIDIA CUDA 는 GPU 를관리하는호스트 controller process 와같은주소공간을공유 GPU 가직접접근하기위해서는키보드버퍼가호스트프로세스의가상주소공간에맵핑 controller process 의페이지테이블을조작함으로써접근가능

2. Capturing Keystrokes

Demo blackcon@bk:~$ lspci grep -i nvidia 01:00.0 VGA compatible controller: NVIDIA Corporation GF108M [GeForce GT 635M] (rev a1) blackcon@bk:~$ uname -a Linux bk 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux blackcon@bk:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 15.04 Release: 15.04 Codename: vivid

To do next 현재는리눅스 & CUDA 조합 OpenCL 을이용하여 AMD 에도호환 윈도우버전도제작

REFERENCE http://blog.alyac.co.kr/319 http://kr.nvidia.com/object/what-is-gpu-computing-kr.html https://github.com/x0r1 http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf https://www.youtube.com/watch?v=0yryc9dw9gw https://nemoux00.wordpress.com/tag/dma-buf/ http://cinema4dr12.tistory.com/456 https://ko.wikipedia.org/wiki/gpgpu http://ixbtlabs.com/articles3/video/cuda-1-p1.html http://liminia.tistory.com/archive/201212 http://m.blog.naver.com/ymkim1959/10109647226

감사합니다. Jihwan yoon 131ackcon@gmail.com