[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC
2 C5 }( P7 ]- Z+ {/ K6 f2 e! O
By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
" s6 t8 }0 c: Q! b

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
7 t1 [0 T! l# \3 K, {; qthe interrupt related by the IRQ 1 able to be not refer
( F: a$ f" q5 @' J5 J; ?# H* ]the I/O APIC's Redirection Table.
9 H; {4 V3 E% q$ E# ~. _
; L$ O! i7 y8 H0 S, O( i% D- It is higher priority of the hooking than the direct
1 C  O. P! }. mmodification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
! h+ @; J5 G( @' a, [  ~vector from the I/O APIC.
. n: C  b5 ^4 k6 s% D
Flow ::

1. IRQ 1 Assert !!!
. I& S# _  r. v2 u! \: k2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
" {5 L6 P. o! A  t1 {+ x' ^4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
) r6 T( H5 C/ j* S" W7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
; w5 m  `+ e1 J$ Efor ExtINT to its Delivery mode.
9 B; `8 v* j2 e% Y10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
# H$ i3 S( g/ c. t# R0 x( D( v) Y11. The processor execute 2 bytes sended.
$ d, ~2 M7 Q- l9 {/ H2 d12. our interrupt handler executed.


7 f' ?# N' R$ N. t$ b' qsourcecode and binary are available on the
; E; }# q) H0 B4 xhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip