[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
% e  W: n5 W+ {
Keyboard Interrupt Hook using I/O APIC
% C% ^: X, o9 e9 h  T  ^1 ^
By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.

- Z- d/ M. j. v8 G
9 N' A9 Z+ e9 a# ISummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
' O! k7 q  [6 k5 y2 ?the I/O APIC's Redirection Table.
2 E- q- v+ r  \  I9 X9 r
) V7 D+ H' X- k. V* J- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
. Z. q1 `" }. X7 l/ d" i% m1 E! Zvector from the I/O APIC.
% _" ^3 V! j; V2 Y' U1 q
+ S+ [3 J7 k. K) w0 FFlow ::

1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
  {3 y. m3 H! |  U5 D3. Sending the signal from the destination Local APIC.
+ J, U) W1 h: `' X4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
' R. D0 ~# x& q8 G4 v% d% h6. The processor Assert the INTA signal.
; B7 T0 h) _, I) S3 P" M$ c7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
. }3 L/ ?4 u+ O: R9 Q9 F) o: Z9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
( O& L- o7 L, g* x5 [. ]11. The processor execute 2 bytes sended.
1 p9 Z4 d: c0 g' T0 d5 Y" Z" y- o12. our interrupt handler executed.
: n. {& [- y7 Q

2 I* k/ A5 r- k7 d2 J- X2 hsourcecode and binary are available on the
) {& p5 ?/ n6 \$ c) |5 D: lhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip