[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

7 R9 B3 d, _  I5 ^/ n+ h# _. TKeyboard Interrupt Hook using I/O APIC

By: chpie
8 Q9 Q& T+ U) zKeyboard Interrupt Hooking by manipulating the I/O APIC
" q" [" z# v+ O$ ]* H9 P' m7 Htested on the winXP, Pentium D Hyper-threading Enabled.


! h& T0 ?# K( m( @6 W  @4 g# GSummary :: Using the 8259a compatible PIC to be deliver the interrupt
$ K. {  D" j8 h" m8 R" i9 wsignal by Delivery mode of the I/O APIC to be the ExtINT,
8 |& [. {" x$ O8 G6 k% a* Mthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
7 r4 ^5 T' @+ y3 b6 fvector from the I/O APIC.
7 t& D; b% z0 y
7 d2 E7 B' f$ XFlow ::

1. IRQ 1 Assert !!!
6 E- s, d1 O( s: v4 d, ^2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
+ [! N- W, E1 ^4 v/ g$ g* Z5. A processor receives the signal.
6. The processor Assert the INTA signal.
: @- h; M" G) ~# J3 e4 L7. The I/O APIC acknowledged.
/ O% ~5 P, Q$ J& W. x8 q7 e" G8. The processor Assert the second INTA signal.
- J" z% f1 I: b" k2 M9 \9. The I/O APIC delivers the signal to the 8259a compatible PIC
/ b. u3 M; c0 Q( o1 P8 L. l, v# Jfor ExtINT to its Delivery mode.
2 U* V8 }2 I# x4 {8 M* n6 E" o7 I10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
, \% `3 n0 e+ {# F! A12. our interrupt handler executed.

7 R- K; p* `$ Y! d
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip