[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
/ V& ?3 M4 U5 ~9 }( E
3 {8 I" c5 k$ \/ a; KKeyboard Interrupt Hook using I/O APIC

By: chpie
3 a" q( u. p' W4 R: }/ cKeyboard Interrupt Hooking by manipulating the I/O APIC
5 @" F3 G) i6 i8 y9 @/ W9 Htested on the winXP, Pentium D Hyper-threading Enabled.

2 S+ L1 m2 J7 @- k! c8 E
  i) K) g6 e! H2 x; ~Summary :: Using the 8259a compatible PIC to be deliver the interrupt
! J) M5 p. a9 x3 vsignal by Delivery mode of the I/O APIC to be the ExtINT,
. n6 Q. m: L8 r4 N+ h/ l! Vthe interrupt related by the IRQ 1 able to be not refer
$ l, D- `: V/ |5 hthe I/O APIC's Redirection Table.
: ?& K0 S2 c2 _% F
. W8 z2 b% {, x5 ]- f* ~6 B6 Q2 o- It is higher priority of the hooking than the direct
7 D# \( r9 Z% k8 Imodification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
6 U: N1 ?5 N  F  z: f# Hvector from the I/O APIC.

Flow ::

1. IRQ 1 Assert !!!
7 x* L4 _* t' y0 S+ o2. The I/O APIC receives the signal and refers the I/O Redirection table.
) x" e8 I, s. ?% u5 `3. Sending the signal from the destination Local APIC.
# f9 C5 z+ T" w# q4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
7 s' s/ K# q/ }) M6. The processor Assert the INTA signal.
  ^0 G7 n5 Z4 T7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
: b( k/ g9 T: H( u9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
' g! `$ D3 c$ v- ]1 D0 v7 A( i10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
' _& Z9 y6 \5 w) G: |11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
7 N6 q- w8 C; L6 I

7 G* c; y  A# ?7 |$ asourcecode and binary are available on the
/ N, D% n* D% z6 b. Whttp://www.rootkit.com/vault/chpie/apic_keyboard.zip