[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC

. g& M7 a6 I# Y. B+ }By: chpie
. v9 ]2 q& j" b7 OKeyboard Interrupt Hooking by manipulating the I/O APIC
$ \/ ~% i" J. ptested on the winXP, Pentium D Hyper-threading Enabled.
7 Z) S. a' f$ h5 A. ?% a' I

, E4 l! Q/ Q) D+ X& NSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
( j+ L  i1 m& ~/ g) cthe interrupt related by the IRQ 1 able to be not refer
) q" Z7 Q+ A' [# Z$ I! k  d# n% s/ ]the I/O APIC's Redirection Table.
1 w' b) |3 b. _; _3 l# u
: W% T6 b( a* ^, V; D! s! K0 Q: _/ V- It is higher priority of the hooking than the direct
# r- i# `9 n& }' zmodification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
& {" V4 I8 T/ O% x
9 F2 k$ Q1 l  @- k3 [* }Flow ::
7 P* l/ H$ g3 B1 H
& G! _6 X+ Y( B9 u, e1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
7 t) x/ ?3 C0 [/ K; b! |5. A processor receives the signal.
& g# w  x4 k/ s( w0 g* s+ n- j, f6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
, L8 O' v- A3 P8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
/ E# ]6 Z5 E9 r* z" ]$ Q' R! e4 Efor ExtINT to its Delivery mode.
% Q: s0 N3 v5 ~, f, O7 Q1 l; |10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
$ t& U4 g4 ]8 i% l! }  k11. The processor execute 2 bytes sended.
12. our interrupt handler executed.


& e3 v) O) n+ @4 Ssourcecode and binary are available on the
5 C# l$ @+ N  o# Y7 N% B6 chttp://www.rootkit.com/vault/chpie/apic_keyboard.zip