[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

9 U, i/ j6 |% U; Y" }Keyboard Interrupt Hook using I/O APIC

By: chpie
; ]4 @( c+ r6 G0 uKeyboard Interrupt Hooking by manipulating the I/O APIC
. E* m# q5 d" Mtested on the winXP, Pentium D Hyper-threading Enabled.
. R9 w5 N7 t7 }
7 z7 K% i: }% B9 f
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
0 X8 C$ z3 \8 b7 l4 S7 j+ M% Gsignal by Delivery mode of the I/O APIC to be the ExtINT,
  m; p3 N9 x% t% n+ t' D: L% Qthe interrupt related by the IRQ 1 able to be not refer
9 s# W" C3 G* {: h& `$ bthe I/O APIC's Redirection Table.
! a7 e& R$ e: f
- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
+ S' S& g; \1 K5 l  a( t6 k2 Y- The vector can be hidden on the thread getting the keyboard
/ r* q5 M! H: e' D/ Y* uvector from the I/O APIC.

7 P/ ?# O) U; |/ u. U* UFlow ::

1. IRQ 1 Assert !!!
( h% \- q7 c* H+ G' J6 k2 V( X2. The I/O APIC receives the signal and refers the I/O Redirection table.
3 x6 L8 ?9 W, g# k1 v3. Sending the signal from the destination Local APIC.
+ D. ]6 x" H5 l% `- H- N4 W4. Local APIC pass the signal to the processor for its delivery mode ExtINT
6 U& L4 ?4 o2 X: o0 J3 F) h9 Y/ {& U5. A processor receives the signal.
3 E; h. M& h  y% P  _1 n6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
( O3 F* g/ |+ A' \3 x8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
* r9 r' l* f+ j  d0 Gfor ExtINT to its Delivery mode.
5 b( n$ N; r& Y9 W10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
4 ]  [+ V5 E; A4 _, U11. The processor execute 2 bytes sended.
  r. F, T" k" J2 k1 M: U: t& k12. our interrupt handler executed.


8 K: s0 s+ m/ \3 m3 e" M) esourcecode and binary are available on the
: |2 \! H6 R( @" _0 W- l; uhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip