[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
( I+ k' _9 K. q" {5 l
Keyboard Interrupt Hook using I/O APIC
0 \8 F5 ]( [! k4 B* V
, F. d# k; D7 v- A$ D' G& vBy: chpie
, ^) K& O7 P+ IKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
3 o8 P  {. ]& y& ^0 r

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
1 e5 k1 I' y$ @8 v
8 m' P1 Q' p8 Y  t" r- It is higher priority of the hooking than the direct
' U1 g; l8 X+ I1 R% ^modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::
# ?% d. [: M" J9 `- Q
1. IRQ 1 Assert !!!
. x5 o/ U5 Q9 ^& q0 M2 a2. The I/O APIC receives the signal and refers the I/O Redirection table.
3 L/ H$ Y$ t) U0 @0 p% ~3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
7 h% |$ o; `. h! m, i6. The processor Assert the INTA signal.
3 ^  O5 g' |; f2 x- F7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
1 b) X& \1 D/ E, ~( S3 B( R  W9 [9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

2 }7 [/ t7 Y7 V0 n- D
$ K" P3 E" r& t0 Z7 Xsourcecode and binary are available on the
$ d2 m: i; V& @2 y) j+ Z* w1 i2 S' Ghttp://www.rootkit.com/vault/chpie/apic_keyboard.zip