[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC
* K3 k  h; B' Y" p7 p2 h' t
4 J/ ?! o; i" j$ U- eBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
; w/ f; ^2 _7 [+ @# }

$ J5 m3 P9 M8 ]7 R0 S  N& GSummary :: Using the 8259a compatible PIC to be deliver the interrupt
7 ^$ s; }1 w4 G+ |0 K4 lsignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
2 M( ~! \! s! ~& q- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
* c7 u* g3 }; n( \$ l4 T8 d) u
Flow ::

1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
) Y: f$ i3 z, C4 h1 x/ @# D9 z/ `3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
9 x5 Q1 p  M+ \' ^  I  S* }8. The processor Assert the second INTA signal.
6 Y) l& t8 U; G8 {$ Y4 s9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
8 Y, @5 S# S, h: G10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
  y, S% P% X7 u11. The processor execute 2 bytes sended.
  l# M  S& W% g' a# `2 G12. our interrupt handler executed.

6 U' m0 d1 ?+ }
sourcecode and binary are available on the
  r" u7 K& Q2 X2 A) ?/ khttp://www.rootkit.com/vault/chpie/apic_keyboard.zip