[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC

By: chpie
2 ?* B3 C; N6 g8 U+ Q& WKeyboard Interrupt Hooking by manipulating the I/O APIC
% I5 c* I: L: ^) m! g+ R2 {& c& Dtested on the winXP, Pentium D Hyper-threading Enabled.
! \/ I# W( u" Q5 n8 N2 F+ T7 C

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
, e$ x+ R+ @, g" _% C( @modification of the I/O APIC's vector.
8 B/ g* L2 M& P8 z( I- The vector can be hidden on the thread getting the keyboard
. J' M3 T: P& m( Wvector from the I/O APIC.

Flow ::
7 T+ F+ A( O4 x  v# G1 W7 A
1. IRQ 1 Assert !!!
  y7 w# M$ T& [+ x! w% Y, F2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
( }) W* a5 b1 p$ I( {. H8 i4. Local APIC pass the signal to the processor for its delivery mode ExtINT
6 q1 }) s/ c, n" h7 ~5. A processor receives the signal.
6. The processor Assert the INTA signal.
* t0 m* S) P1 A  P" X2 T7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
2 d1 O/ N5 J; q3 Q0 ~# e5 g9. The I/O APIC delivers the signal to the 8259a compatible PIC
( r: W; n2 [( f) {5 A) bfor ExtINT to its Delivery mode.
6 y8 B# R& V! C4 A# w% ?" J4 m$ \10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
$ Z; R% _3 x  j# v8 y12. our interrupt handler executed.

, \& R* m0 I# k+ d
6 G1 v/ f" q7 H& O# rsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip