[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
9 r+ X7 h" p- @$ K) O0 E# D2 ^7 J
Keyboard Interrupt Hook using I/O APIC
6 y- f' ~7 W' k1 c$ l
! F6 M5 ~2 |& F% j0 b& k2 R6 xBy: chpie
" V( v$ a, A0 D' o0 t8 BKeyboard Interrupt Hooking by manipulating the I/O APIC
$ |! f! M8 z& ytested on the winXP, Pentium D Hyper-threading Enabled.

( Y% N+ t2 L0 N& b: A- ]; D( `
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
% h1 i! n% R- F( o3 l# usignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
8 e2 r7 c' M% m% x) P$ T
/ n& d2 h; |: @: T6 C% }7 d: r- It is higher priority of the hooking than the direct
! C6 j& |6 }/ ~: Qmodification of the I/O APIC's vector.
' V8 X3 w  B" b4 e8 D8 n- {- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

1 A! \2 y8 u- @3 [Flow ::
1 e1 ^5 d3 P9 n2 W+ O
* x: Z) g- j( p7 K0 T9 ~! _' J. D/ Y1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
( w5 m2 p3 q( S3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
, d+ }: Q9 W+ z: \2 G7 {5. A processor receives the signal.
7 X& L8 B: M; z" g, S/ d6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
; ^, V% u3 ?  H/ z" Q$ R6 J8. The processor Assert the second INTA signal.
# [0 L' S. i4 |. m7 ~9. The I/O APIC delivers the signal to the 8259a compatible PIC
9 Q3 N6 f' }# V1 P$ Zfor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

4 F* Y: E& J3 C  ^$ {
3 @$ l% U5 W5 Gsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip