[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC

6 r4 X+ y7 Z6 q8 e! w$ ~2 a+ WBy: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
; C  O$ `3 U/ m4 M: f$ ~8 o: }tested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
8 g. v; J6 Q0 J1 bsignal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
1 J1 H/ l, I) J7 x$ ~; ithe I/O APIC's Redirection Table.
$ e% W1 B" L4 H) }% V7 ?
2 d: s! f" E5 v- It is higher priority of the hooking than the direct
8 G1 d- V# R& W! ]: qmodification of the I/O APIC's vector.
' z5 e  v1 @6 n' V3 S9 e5 d- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.

Flow ::

& d" V  E/ Y  N0 I0 E1. IRQ 1 Assert !!!
/ D4 x) e% f" y2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
, f! d3 d6 v; y1 @6 @3 h8 _4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
1 l. `4 S  Z/ s( O, n# o* k6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
0 M! ]. d/ w6 {: ]9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
0 T5 L) u4 D) N! f  h8 T10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
( m' r) r) s* K- o9 q8 H- \12. our interrupt handler executed.
7 ~9 v0 q$ n" @7 }  I  T/ w- L; A
4 i/ T4 P1 k' j2 P6 {4 W! W+ T
- x  k) R6 _& m1 r( rsourcecode and binary are available on the
! L( v$ C& t2 Phttp://www.rootkit.com/vault/chpie/apic_keyboard.zip