[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

% C; O% J  @# k8 e. p; h4 o4 WKeyboard Interrupt Hook using I/O APIC
2 J' f# `7 m2 z, w
# ~: S2 w" b& j& G& U5 t  PBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
! F7 V+ P' `& A2 p% ]- \0 ^3 Btested on the winXP, Pentium D Hyper-threading Enabled.

' x$ L9 B( r, y* M8 J
# X+ m9 I7 I1 ]1 ~6 r( ISummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
( ?  X% W6 G8 ~# R* Z( G6 [the I/O APIC's Redirection Table.
8 f* E2 Z1 M3 Q, g6 K
- It is higher priority of the hooking than the direct
' }/ S- F- J9 X7 e5 s- q5 ~8 |modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::

. t, t! B# y4 K7 J1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
: ?( y( B( m" p3. Sending the signal from the destination Local APIC.
" {: ]2 I( T0 X  m: O% @4. Local APIC pass the signal to the processor for its delivery mode ExtINT
& ^! A) |; K8 `$ m" @& c5. A processor receives the signal.
6. The processor Assert the INTA signal.
3 f1 V) q# @! X' }2 {3 d2 @7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
6 R3 U7 p" E' G4 ^- Jfor ExtINT to its Delivery mode.
! d$ K& o: ]$ d5 }$ q7 ?7 E10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
+ n0 n4 z, g: V9 k* e) N! Y12. our interrupt handler executed.

2 X5 e4 g) q4 ]9 D! U, n+ M
sourcecode and binary are available on the
3 q$ k# p& e: _5 D- Ghttp://www.rootkit.com/vault/chpie/apic_keyboard.zip