[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
* R* Q: ?% c! M! Y4 ^
Keyboard Interrupt Hook using I/O APIC
5 S: L5 s6 v, B% z5 ?4 D
By: chpie
; E0 u( q% r' X5 K9 |* L# cKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
# F3 C7 a  j% m) O
. J! `4 G& c" I4 j* a
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
+ F& c, L6 A; `$ @  c) T2 k$ T
- It is higher priority of the hooking than the direct
  u8 u+ |9 p  y1 H2 o1 Bmodification of the I/O APIC's vector.
3 E  X+ G  t0 r# g; P+ H- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
# }( y, W: Q# h
" A& O" [( r3 k$ R4 a$ HFlow ::

1. IRQ 1 Assert !!!
9 I* w$ w" |! k$ k5 S! t, O2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4 b5 ?( i* @) h' C  s; |3 i4. Local APIC pass the signal to the processor for its delivery mode ExtINT
! P4 m5 r6 i2 v4 {6 _9 T5. A processor receives the signal.
( L/ L2 j  h, ^9 G- H" N" g6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
6 |9 v3 K  [5 O! I) p
+ r9 k1 N( d9 i$ P; j0 I; q2 v' v/ R
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip