[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

+ _8 q5 Y' d- O% v4 \Keyboard Interrupt Hook using I/O APIC
2 b) [. ~: q: I  M" s9 X' [' I
6 g3 H- }& J$ _2 _3 [6 TBy: chpie
( F' F$ y8 X2 G+ j; P; I; hKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
# g! @0 V3 Y. _0 d$ a  Y" H% hthe I/O APIC's Redirection Table.
1 [9 O# Z$ V+ p. f6 t+ A9 C$ U
- It is higher priority of the hooking than the direct
7 K2 y4 ^5 \0 ]modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::
0 _; n# ?. o. i7 g
4 s, O3 j; j+ J1 Y' C1. IRQ 1 Assert !!!
6 H3 H( g( u8 U3 n0 D2. The I/O APIC receives the signal and refers the I/O Redirection table.
, i4 {. m% ~0 w6 r  u- j2 e3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
. H" @+ Q  S+ @; |5 V% D8 ^7. The I/O APIC acknowledged.
5 t4 k, z$ S; ]. D8. The processor Assert the second INTA signal.
+ \4 t/ v1 ~% V$ x1 n9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
' d; a9 ~2 j* @! M+ U' C10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
$ j; O! P& j3 t7 A5 g1 O11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

, A7 J. h3 Q$ {9 f' p7 d8 k
, \( B. t% F( a3 }% Esourcecode and binary are available on the
# X( ?/ H* R% Z% [3 L: ehttp://www.rootkit.com/vault/chpie/apic_keyboard.zip