[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
+ w6 ?" K6 ^+ W6 C/ t
Keyboard Interrupt Hook using I/O APIC
( v7 M8 t/ f% r, J# `3 F8 H
% b& c5 s- O4 p+ z+ QBy: chpie
  q- D! M4 N  l- k: D* {# _5 Q; UKeyboard Interrupt Hooking by manipulating the I/O APIC
0 R2 R+ n* E$ p1 l& N  itested on the winXP, Pentium D Hyper-threading Enabled.
& f' Q4 S  H& ~$ q2 L

. s2 e/ R1 x/ ?) Y: J' I# S4 ZSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
- {+ l: ?8 {6 fthe I/O APIC's Redirection Table.
& v( m; C. g! Y& l0 H' `
, t: R7 I2 f- e2 ^, r3 Y- It is higher priority of the hooking than the direct
" S" C# y: Q8 U" p' @+ j9 mmodification of the I/O APIC's vector.
% h# Z* H' y( A/ ~9 ^- The vector can be hidden on the thread getting the keyboard
" ~1 ~  q4 G# c& Gvector from the I/O APIC.

: L& l  d# v8 O$ g( JFlow ::

1 |0 A$ F. \, v3 C, b! _1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
  m; x/ {3 [0 c3 q, m. o3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
4 U7 V  W! p' N( w- V5 T: [5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
3 Z# e% Q; Z/ R' F! X7 |9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
$ o8 g1 X- Y; b( n) u10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
4 I- Z- q6 G. p/ w4 o* K. r( w! G) A12. our interrupt handler executed.

3 ]& x% v6 `: W% Z
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip