[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
0 X# L5 A/ p. Y, w" Q3 X5 c' O# e
Keyboard Interrupt Hook using I/O APIC

By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
3 p  n5 n$ @4 V4 G' dtested on the winXP, Pentium D Hyper-threading Enabled.
1 ]0 N5 j* E6 A# z

. k: h2 M, J- Y9 |3 [Summary :: Using the 8259a compatible PIC to be deliver the interrupt
9 z, M1 W7 |3 T% z# n4 osignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

: d" R- Z/ v( ]+ y, d$ |* Y- It is higher priority of the hooking than the direct
: j. t) q. j' k( cmodification of the I/O APIC's vector.
' s; N/ @; A! O9 f9 ?$ {, T- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

$ p: m1 H! J6 |5 i$ HFlow ::
6 A+ x! r5 i$ ~3 Y3 @8 h' P
: k/ D3 y8 _! U( d3 Y1. IRQ 1 Assert !!!
0 T  N8 S  ^* i+ u4 u7 Z" _4 f2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
* a& a9 [2 K  d% p4. Local APIC pass the signal to the processor for its delivery mode ExtINT
& T3 K7 j% {0 Y+ y5 j. K- K5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
# Y  k0 ?# O. Q9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
) |  {* C8 v6 _3 i5 r$ ?5 k/ t10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
# T! ^# b: t# g( V11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
$ k3 {7 G7 [- R9 [% H2 f& {

sourcecode and binary are available on the
1 e2 u, q5 ]2 r' `! ^( a0 R: b! Ahttp://www.rootkit.com/vault/chpie/apic_keyboard.zip