[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

1 L) @; _$ q/ ^: k# LKeyboard Interrupt Hook using I/O APIC

By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
: Q( x  a" p% \8 x# k- n7 [tested on the winXP, Pentium D Hyper-threading Enabled.
5 N! R+ W: D% @* `4 \3 L  x' o

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
3 A: \1 H! a" v! Tsignal by Delivery mode of the I/O APIC to be the ExtINT,
/ Q9 n/ F6 T7 T5 {- ]the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
* c% o* q  C* K9 A3 ~modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
- b, Y; [8 }! b9 H& u
# t2 c# E( c$ E* p6 H5 d, `Flow ::

1. IRQ 1 Assert !!!
9 _1 V* w) s, K6 {2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
% \8 N$ l0 E9 O' e" N4. Local APIC pass the signal to the processor for its delivery mode ExtINT
( B. Y/ G0 r# n2 v# |7 v  D5. A processor receives the signal.
% I. a, U- F( N* M: e6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
" p/ A6 X$ |0 g8 i- g" i8. The processor Assert the second INTA signal.
: a+ \" x( y' b  Q  @, C0 e9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
1 [7 V$ W) n1 U" V& L10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

& Y) Y4 B) R$ o) B2 S- c0 ~
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip