[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
  n5 {7 a9 Q8 c+ ~
. R4 ?' \; i: u9 }. S, J' V8 p8 Q# LKeyboard Interrupt Hook using I/O APIC
  T7 G! c3 ~( h; [- E: d/ J9 L- P
By: chpie
3 P# [  k3 \4 Y$ `" l; e; C, d' C" nKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.

" `5 K4 ?3 E" S7 S3 T
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
" J3 m, `( c4 a* ?
- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
8 k1 d$ h3 G2 G! C4 S1 A- The vector can be hidden on the thread getting the keyboard
" f& }, r1 }( q- p$ k) w: Pvector from the I/O APIC.
( ]! s; s6 _- b2 B% i8 b
Flow ::

* k7 }* Z+ V9 u9 z- e) M1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
1 y3 w+ N' v4 `, w& g3. Sending the signal from the destination Local APIC.
  D. B, E& y8 Y4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
: P. G- I) X4 N: e8. The processor Assert the second INTA signal.
5 ]9 ^) g: ]3 x6 d9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
- R+ l4 B3 H" O  ^* f12. our interrupt handler executed.

3 v  B, F7 N6 T* {3 V' R
sourcecode and binary are available on the
/ b! q2 J6 P; o# x) Zhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip