[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

/ w1 q' g4 f3 V. y" |8 Q  |Keyboard Interrupt Hook using I/O APIC

$ E9 O: R5 _; x2 O2 s' u& RBy: chpie
1 e+ M  E% i' I1 R! X/ NKeyboard Interrupt Hooking by manipulating the I/O APIC
+ L/ h& l8 V# U: j; u: ztested on the winXP, Pentium D Hyper-threading Enabled.

. E3 H' p# f& u, C- h+ s5 ]: G/ v& r
# t/ {+ W- p; H7 P) lSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
/ f. ~/ L1 t' I; I* S8 O- U2 L. dthe I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
' x" N0 _, Q' bmodification of the I/O APIC's vector.
; D1 F' u: a# ?9 `! X- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::

4 I5 W+ F- ^, @5 B+ j1. IRQ 1 Assert !!!
0 L* Y7 k7 H. D8 q: m. R# @8 C0 C$ U2. The I/O APIC receives the signal and refers the I/O Redirection table.
0 l: T1 {* M$ t6 J3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
$ R# z# |- \' F1 c! {" Z: p6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
. f8 Z7 [# E! M# a# ]/ O8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
8 ^( e; w& b+ _* O# x' f10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
$ g; D& P5 ~# B4 ^7 m12. our interrupt handler executed.


sourcecode and binary are available on the
9 Q5 H$ F! c, Whttp://www.rootkit.com/vault/chpie/apic_keyboard.zip