[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
) F) t9 F: I& @  L
+ l( x, b1 b6 VKeyboard Interrupt Hook using I/O APIC

' A! s0 E# V0 j* ~2 }* YBy: chpie
0 h& Z7 N$ m6 dKeyboard Interrupt Hooking by manipulating the I/O APIC
8 N+ L( c) `! itested on the winXP, Pentium D Hyper-threading Enabled.

) @/ B, c& p! b  X" I+ b( L! I
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
2 C0 G1 x- z1 A* Zsignal by Delivery mode of the I/O APIC to be the ExtINT,
1 R$ f. ~4 p+ w$ j; Nthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
  X: K* y% a4 `' a& Q  Z+ D
- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
1 j6 y; T" u! z- w/ Cvector from the I/O APIC.

1 F0 O: A& m: X6 {, U4 _Flow ::

- {+ D. |2 I3 A  p+ c" U" V1 U1. IRQ 1 Assert !!!
: @0 A- _0 k/ K6 `" t7 u0 Q2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
7 n' C% e6 B  `0 l5. A processor receives the signal.
6. The processor Assert the INTA signal.
' b3 F; e' B& c7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
0 k; A: s* i( Q( x5 T# Wfor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
+ N! t. `3 V  {( B11. The processor execute 2 bytes sended.
9 w8 [+ D# V9 [0 n12. our interrupt handler executed.
5 d  h1 e1 ~- f& o* a

sourcecode and binary are available on the
6 a+ M8 k. Z/ K* G: C# U9 V" ?0 n; M/ ]1 _http://www.rootkit.com/vault/chpie/apic_keyboard.zip