[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

; X, e2 x: a% |Keyboard Interrupt Hook using I/O APIC
" [0 \6 m3 ?6 a  t* D( e+ n: b+ [
By: chpie
9 L: o9 v  K( w5 C- p( n) Q" ZKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
* R) ]# P3 n1 \6 ?9 s7 x  t% ]the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
5 g9 i% {1 o- @& a
3 ]0 F+ G$ O% d% S3 q) I- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
  e- ^# N7 d  E1 c5 S1 V' z
Flow ::

7 s6 m8 ~) f9 j1. IRQ 1 Assert !!!
7 W* [5 {. Y/ R) X) Z2. The I/O APIC receives the signal and refers the I/O Redirection table.
# `  Q0 e2 [: D3 Z# R( d+ [3. Sending the signal from the destination Local APIC.
- ~# D8 ?  g* B! y9 P5 L4. Local APIC pass the signal to the processor for its delivery mode ExtINT
$ f; ]" ^) I, t: U# R+ ]5. A processor receives the signal.
  y) }% F. Z* q+ ?$ o% t* H6. The processor Assert the INTA signal.
5 X- J5 k  x  P  D" S7. The I/O APIC acknowledged.
5 r: h/ V- t0 V- l' g8. The processor Assert the second INTA signal.
' S$ V3 X% z# s$ Y% t8 o, D2 n9. The I/O APIC delivers the signal to the 8259a compatible PIC
/ U; Y3 P7 N! @( c8 xfor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
9 L% j% ?% I6 z5 R

' o4 ~2 Y6 k4 b' N! q2 V; Tsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip