[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
. R, @9 @7 A6 [( m: x
+ C& U2 j, S& c4 _Keyboard Interrupt Hook using I/O APIC
, T( q$ N3 Z) i% Z3 N3 V9 U' p% @" D
By: chpie
  k/ G6 s6 i8 x* r, q! J& \8 {Keyboard Interrupt Hooking by manipulating the I/O APIC
0 r. I  f  h$ {tested on the winXP, Pentium D Hyper-threading Enabled.
' G% q. C2 {- U: Z3 T" O) h

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
2 A3 H% h! u; P% }) v# P. v' Cthe I/O APIC's Redirection Table.
% W  k" x1 n1 Z8 L9 |  H& t- \
- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
% y- S: o; `- d3 c! E8 w5 H- The vector can be hidden on the thread getting the keyboard
% c5 O# |: X/ ~+ S2 avector from the I/O APIC.

# u8 z' g( ]3 e/ n) Z6 T2 B* ]Flow ::
( @- c) o$ K7 r$ D
1 Q/ O! V9 c( ~3 S+ [1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
: J( l' k# ~7 @. Y1 l6 c8 o! c5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
5 O7 U- s, m* X' b( \0 h; N9. The I/O APIC delivers the signal to the 8259a compatible PIC
$ C( e& G) P1 j: a! B- T6 e; `/ wfor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
6 N7 R& [" e9 o* f1 ]11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
% P- T7 i) ~9 |5 K
2 m7 H) @! A5 ^1 I. G
+ l( c. s& x4 J. R+ `7 Qsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip