[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

6 d1 k" u" X1 m/ D6 w1 R# ?Keyboard Interrupt Hook using I/O APIC
6 L* u; U7 I" i8 B; e6 I5 P# Q
By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
% R9 y$ \2 u" {' u' j* Etested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
, q, ~' Y. D) y& {3 V4 E; w" isignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
$ z+ @+ @* g( q. `3 Ythe I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
( n$ S+ R9 O0 z  Y- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::
" ?; ]0 g  @/ I, I) C& o$ Y% G2 X
1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
- R' U8 I1 B$ L' H; z, M* o4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
) \( J" \& p; B% o, |% I9 U' o* u7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
. F) ?8 Y5 Q2 ?9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
6 s& k8 A: `9 M2 u11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

* W2 \! ?7 U9 u: j7 K# i8 |
3 P$ s' G/ s0 H8 x9 H) zsourcecode and binary are available on the
, O5 n0 t& s2 y: A( T- Z1 E) xhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip