[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
" f! {2 m" [" W4 w; ]( M
( c1 H2 @! M& b$ UKeyboard Interrupt Hook using I/O APIC
" J' N/ `3 q" A7 x
By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.

$ I* o' Q8 M3 p. z) \6 ^
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
2 G, J1 c7 ?( O4 Ysignal by Delivery mode of the I/O APIC to be the ExtINT,
9 f" ^8 Z# b2 d& g- c: B) b8 rthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
) G6 k% o* w# V1 z  m+ k9 M
" V8 @- g( H; L: b- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
# k* S' |+ |7 J1 v& S0 Yvector from the I/O APIC.
  ]; h- i$ \  W2 R3 X8 c7 {
Flow ::
9 S1 {! w3 u; \' d! Z" k' f0 y
. }: X* e3 Q. [% F8 G9 z1. IRQ 1 Assert !!!
) w' Y  l( @6 N% ^3 X1 _2. The I/O APIC receives the signal and refers the I/O Redirection table.
. F5 D/ k! g+ t3. Sending the signal from the destination Local APIC.
5 J7 y4 r, a9 c7 E+ K6 N* f. n. g' Q4. Local APIC pass the signal to the processor for its delivery mode ExtINT
. W: Y& l0 [" }  i8 t5. A processor receives the signal.
9 |; \& `; ?2 W4 n6 r) J$ }6. The processor Assert the INTA signal.
' N, p2 w6 ~# x) z6 e2 Z# J/ D4 u7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
" L0 s) |) e/ `( n. b* ?; ^  Y3 g3 ?9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
, n+ `, C: @' T! p$ F' ?3 r" _

sourcecode and binary are available on the
% F& u2 O' G- C2 B. |5 Y  _$ Yhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip