[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
8 r$ H& Z' _8 J+ @( _
Keyboard Interrupt Hook using I/O APIC

7 z; p: ]: c/ q% l( V3 _By: chpie
. O1 g! k: p7 n- @$ |4 K) lKeyboard Interrupt Hooking by manipulating the I/O APIC
9 N! g8 g6 g; h6 W2 S0 ktested on the winXP, Pentium D Hyper-threading Enabled.


8 }' k5 u9 ?) j# LSummary :: Using the 8259a compatible PIC to be deliver the interrupt
3 X) h5 f* v0 S+ asignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
" A, g: Y4 \# s8 z* r( t
& z+ b" b( e5 |( O1 ~3 j2 B- It is higher priority of the hooking than the direct
0 w! z3 J# g+ J2 C# E8 ?modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
, s9 z( X5 D4 [0 T; vvector from the I/O APIC.
: D3 j5 `& G2 z5 |& M5 W
5 K- o- r* {2 D& v- K3 `Flow ::
# f" S9 c1 @' ^7 z8 V
  ?/ ?) N4 W( b+ k1 l2 W$ D4 a1. IRQ 1 Assert !!!
  i5 d7 e9 h) [4 o2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
! f6 j2 ?4 k8 G. Y* f6. The processor Assert the INTA signal.
! Z) h$ b- F$ ?) ^/ }7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
- |1 _' O3 k% m( r9. The I/O APIC delivers the signal to the 8259a compatible PIC
$ ?7 n7 [# L5 t- J3 v0 y0 s: Ufor ExtINT to its Delivery mode.
* Q* t8 `2 P  X6 Z4 J' F10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
+ P' z: l$ V% F+ i0 e$ b! ?, `) p11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
! [. b8 H1 ~! e( B" ^- Q# ~$ Z5 \+ W

sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip