[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

5 b' _- e9 D$ e( V& V" E) P; j1 @" W0 @Keyboard Interrupt Hook using I/O APIC

: F: X8 A7 o8 R9 }/ N& n* uBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
. K; M8 \& I: @. }
. F- p' s) S" u. i3 `* w) L
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
: Y& |* \# Z' X* u5 j3 zsignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
% |' I. y) b0 C9 o1 s+ y
- w3 ], G- J/ F8 P  b  R+ bFlow ::

1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
' Y6 K* A% o+ N- O3. Sending the signal from the destination Local APIC.
6 n# L# L- i, ]* F7 m4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5 ?! ^- ~) o0 A( J' s5. A processor receives the signal.
, l6 Z! ~/ r* |. v6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.


sourcecode and binary are available on the
% q* ?  X; ^( R! ghttp://www.rootkit.com/vault/chpie/apic_keyboard.zip