[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

. a. y# B( V) c  t) QKeyboard Interrupt Hook using I/O APIC
8 @! r6 E& i4 i8 X
( C; F& G1 C! d) }By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.

& @/ l9 F0 b0 o$ ]1 j9 E: d
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
2 E6 H! A* @: a$ L' bsignal by Delivery mode of the I/O APIC to be the ExtINT,
- u! M- Z/ p* C6 b( u, Cthe interrupt related by the IRQ 1 able to be not refer
, Y$ O- ^7 L6 g5 ]' Y6 hthe I/O APIC's Redirection Table.

- f. \) T$ o; O- It is higher priority of the hooking than the direct
7 Z; I) B8 t$ A3 a0 a4 nmodification of the I/O APIC's vector.
4 N2 j4 l% R+ I+ B/ m2 I4 _- The vector can be hidden on the thread getting the keyboard
4 h& ?8 {( X0 M6 q+ U- I( ?% Gvector from the I/O APIC.

) @( G2 q0 I: {: i0 E5 NFlow ::
, ^% e9 A6 Y4 W! p; h% n* F8 W" t
+ a) w; B6 N# s! T1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
$ Y& j0 s4 \; u" F- @4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
* ]7 I1 s5 s9 O- w' G9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
* F8 V/ l! u3 Q9 T) R& L. k11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
. K! R# X+ m  l; [$ D4 x

sourcecode and binary are available on the
4 f3 y1 r0 Q2 G+ z- v  ?- R1 j% @1 nhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip