[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
* R+ l0 T5 \( X0 g  r2 i
* ^+ Y* M3 S2 iKeyboard Interrupt Hook using I/O APIC

By: chpie
# [3 O) t9 P/ _* gKeyboard Interrupt Hooking by manipulating the I/O APIC
& i3 V4 C* Z7 K+ T! U6 mtested on the winXP, Pentium D Hyper-threading Enabled.


3 Z* V! E7 D: F8 d, S/ hSummary :: Using the 8259a compatible PIC to be deliver the interrupt
, n& {, X2 ~! }5 [0 B  S* xsignal by Delivery mode of the I/O APIC to be the ExtINT,
4 Y2 _" O  u5 a" O. J6 |; o( C9 v( Vthe interrupt related by the IRQ 1 able to be not refer
3 R' P' n: v' t6 Q  {0 Gthe I/O APIC's Redirection Table.
! t. U1 @3 D9 p+ ?+ i+ ]0 G- z
  n6 ]$ V' E% o- I# H: {- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
5 e6 n" j0 h# T: a# H8 m, z% Lvector from the I/O APIC.

- ^% @4 b- i7 y2 t0 zFlow ::
: D5 S3 r( K( M9 ]8 N$ P+ E: h! a
2 w- E: H3 H0 m- k& ^1 Z1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
: s7 E5 Z9 P$ M/ z! U3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8 `( p& k; w3 l" {7 c' ~' I8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
. \4 P6 l& q* A10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
. q# L6 g& G) `0 g3 K6 b11. The processor execute 2 bytes sended.
12. our interrupt handler executed.


sourcecode and binary are available on the
1 i( ]/ Y/ c/ o; D( rhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip