[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC

. l+ D6 @0 D( I- b7 U/ R% JBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.
+ O7 Z4 g9 ?! L, D; q) e/ {

) t4 T: J* e' X4 Z4 r% YSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
& T" \9 B6 D1 o0 [% P0 Zthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

. f' R- K# r+ u; B4 H" I4 t- It is higher priority of the hooking than the direct
4 B( B% w' u* s1 |) t  i: R! lmodification of the I/O APIC's vector.
% l  Q, N, @1 n- `' G3 ?  C- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

6 w4 v9 s9 W/ U; M4 d9 p4 x) B" DFlow ::

1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
1 {. U0 Y9 H4 g# ]* H$ \6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
" g1 `9 U2 ^- W; W, M. x10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
( W6 D2 O9 p- ~2 L$ \. E11. The processor execute 2 bytes sended.
12. our interrupt handler executed.
  Q4 m6 [  Q$ a5 W2 z
% u. D; `* f/ k* {8 J+ K1 W
sourcecode and binary are available on the
/ U/ q. \' m: v; K4 ?http://www.rootkit.com/vault/chpie/apic_keyboard.zip