[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

4 C$ O5 y! ~/ L) zKeyboard Interrupt Hook using I/O APIC
, x1 ?/ s# c' a, n- u4 m" g5 Y1 f
By: chpie
9 y& v8 U4 S2 q. m3 u7 vKeyboard Interrupt Hooking by manipulating the I/O APIC
$ w: i/ V* |5 N8 wtested on the winXP, Pentium D Hyper-threading Enabled.
' C8 z' I+ y. a# T

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
; D( Q3 T+ ~7 Z4 v( zthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

' f* @$ w# J4 m- It is higher priority of the hooking than the direct
3 r( _* i" Y  V3 t( r" D4 Smodification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
% Q% {' \* \1 q9 s$ e' `vector from the I/O APIC.

Flow ::
. T; v4 Z7 {( ^. [
. ^) D: |  r1 m3 g4 j0 v1. IRQ 1 Assert !!!
6 o* E3 t3 F1 e4 g/ t7 Q2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
" O5 e& A" }) b" Y7 ^$ A5. A processor receives the signal.
) q, p# ^; H# n/ {7 c) P  ?6. The processor Assert the INTA signal.
+ d: G8 v8 S9 q7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
/ N' u8 \! ?% {: L; L5 Q( ^: q) k$ k9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

& @: Z, Z0 v# K
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip