[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC
' r  w3 r! N2 ?3 X! `
. U+ w6 M' E4 h- QBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
) ^$ `6 ]. O7 W# utested on the winXP, Pentium D Hyper-threading Enabled.

& k- t2 {" b& {8 m
Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
+ A' C- L! F  t3 Y) {. E
# @0 ~+ m1 b( w- It is higher priority of the hooking than the direct
' F0 f6 W3 x4 h# Vmodification of the I/O APIC's vector.
. [) r" x7 u( ?# {5 m( G/ W- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

+ l" P* L/ y  v6 _& x* ]6 Z! g, FFlow ::
5 b! \* l8 g' o1 G' Q
. u2 I, m+ T; s1. IRQ 1 Assert !!!
- I6 h4 w( B% A. f# Y6 ?2. The I/O APIC receives the signal and refers the I/O Redirection table.
6 G2 C5 o' o) A, |6 U% D# T, @" b* L* M3. Sending the signal from the destination Local APIC.
" w. W0 s, F9 Q/ u. I4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
6. The processor Assert the INTA signal.
  f; ~1 ^1 n% a7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
$ L; Q" R+ B- _for ExtINT to its Delivery mode.
6 l3 ~( Z; F6 E/ d9 r10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
  f) @% Y- ]& u; x6 _8 K' Q1 a11. The processor execute 2 bytes sended.
  O& V& R$ V3 _/ N$ W$ W12. our interrupt handler executed.


" S* q5 Z0 x1 F3 I4 Vsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip