flat assembler
Message board for the users of flat assembler.

Index > Windows > Hook keyboard interrupt

Author
Thread Post new topic Reply to topic
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
I want hook kbd interrupt. What is vector for it on windows NT? Is it same for all version 2000/XP/20003/Vista, or does it change? Also, is idt descriptor type task gate/interrupt gate/trap gate?
Post 05 Oct 2008, 20:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
The interrupt vector is related to the hardware priority from the PIC. You can search all the related structures to find where it goes. The IDT is easily decoded.

And, yes, it might be the same for all versions, but just the same, it might also be different on all versions. It might also change at any time during the next patch Tuesday. Basically you can't guarantee anything since the kernel is not publicly documented.

If you get stuck with anything check out my website for the IDT structure and the hardware interrupt layout.
Post 05 Oct 2008, 23:40
View user's profile Send private message Visit poster's website Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
I know IDT format and have INTEL MANUALS, I just can't find info about kbd IRQ vector. Is there way get vector from pic or from kernel, if so how? Searched google/altavista fro info but could not find answer.
Post 06 Oct 2008, 03:13
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
bcdsys wrote:
want hook kbd interrupt. What is vector for it on windows NT? Is it same for all version 2000/XP/20003/Vista, or does it change? Also, is idt descriptor type task gate/interrupt gate/trap gate?


How do you intrude into Ring0 ? Laughing When you have it you can read the IDT ...

Quote:
get vector from pic or from kernel, if so how?


PIC base ... Confused
Post 06 Oct 2008, 06:08
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
You need to read it from PIC, it is usually remapped to some "higher" interrupt (due to higher 4 bits of interrupt also working as priority level for it).
Post 06 Oct 2008, 09:46
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
How do I read value from PIC? Checked google, I know port 0x20 is PIC1 with IRQ1 (keyboard), but what do I read/write to port to get value?
Post 08 Oct 2008, 03:18
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
bump
can someone plase tell me how read int vector from pic
Post 09 Oct 2008, 21:51
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
Found solution to problem. HalGetInterruptVector gets int vectors for IRQ.
Code:
push 0
mov eax, esp
push eax
push eax
push 1 ;IRQ
push 1 ;IRQ
push 0
push 1
call [HalGetInterruptVector] ;get vector of IRQ 1
add esp, 4
and eax, 0xFF ;fix vector returned by HalGetInterruptVector
push eax
push msg_disp_ptr
call [DbgPrint]
add esp, 8
    

returns 0x31 on win2k system
and eax, 0xFF needed for correct vector, found on internet
know 0x31 is vector and not error code, because IRQ 3 test returns 0x33
Post 11 Oct 2008, 00:04
View user's profile Send private message Reply with quote
bcdsys



Joined: 04 Aug 2008
Posts: 41
bcdsys
I have successful hooked kbd interrupt, made counter count number key ints and disp at driver unload, found correctly counts ints. Know fasm kbd->ascii code exists fasmboard, will incorporate it in future version. One question: does AV scan for changed to IDT?
Post 11 Oct 2008, 00:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
bcdsys wrote:
One question: does AV scan for changed to IDT?
I expect so. You will need to manually tell your AV that your program is safe and to ignore it. But why are you asking unless you intend to do this on unknown systems other than those under your own control? Hmm... danger Will Robinson, danger, my malware detectors are tingling.
Post 11 Oct 2008, 01:04
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3045
Location: vpcmipstrm
bitRAKE
I use a USB keyboard - will your useful application also work for me?

_________________
¯\(°_o)/¯ unlicense.org
Post 11 Oct 2008, 01:16
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.