[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC
2 {- g- c1 @; E8 n: V4 b) K% U
6 g0 V1 u) K8 h+ ]By: chpie
  q" g. v: [+ e5 I4 M" UKeyboard Interrupt Hooking by manipulating the I/O APIC
" n5 g6 {/ ?' w0 `7 u. i$ Etested on the winXP, Pentium D Hyper-threading Enabled.
* m: W: s* a) ?  s: `& _$ q3 C

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
7 J* }3 @7 c2 @4 r: R* Lsignal by Delivery mode of the I/O APIC to be the ExtINT,
3 r* S% O, Z1 `. \+ j- x0 athe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
# w% C( m! K* ?* t$ O. R+ a1 ]
$ H8 Z* b  e: |1 e# @* c9 p% c4 fFlow ::

& R1 l  B* H9 A  a: P8 f. T1. IRQ 1 Assert !!!
) g6 m/ |) W0 s3 S8 e2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
3 A' |% G( r, B6 K& t2 g9 G4 q* a9 S4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
4 P# n# a& p" N( P, D, l6. The processor Assert the INTA signal.
4 c/ }! x# P* s9 P) v' x2 _( o, g2 b7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
; ^" l( I$ {" _" N' afor ExtINT to its Delivery mode.
5 ~! Q$ ?5 e& P! v  O/ u& O1 h+ C  Y10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
, L3 b" B9 N5 X2 m
  i: Y4 s" e5 \% S
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip