Keyboard Interrupt Hook safely using KINTERRUPT
Keyboard Interrupt Hook safely using KINTERRUPT
By: chpie
http://www.rootkit.com/newsread.php?newsid=561
[ Keyboard Interrupt Hook safely using KINTERRUPT ]
Date : Sun. 2006. 9. 3
Author : chpie (chpie@naver.com, chpie.org(not-support English page))
- Tracking Keyboard Interrupt Object using i8042prt Device Object -
Tested on : WindowsXP SP2 i386
% before read this text, i apologize for my English skill. :(
Some people used IDT hook to tracking keyboard's KINTERRUPT,
but this text shows that tracking keyboard's KINTERRUPT without IDT hook.
DDK Sample shows that i8042prt.sys has an ISR for dispatching Keyboard Interrupt.
And more, It has backup of KINTERRUPT in the i8042prt's DeviceExtension.
How was i get the DeviceObject Pointer of i8042prt ?
You can use IoGetDeviceObjectPointer() function to get a pointer the device object. IoGetDeviceObjectPointer() returns Top of stack related for arguments. Using /Device/KeyboardClass0 DeviceName, i've got the successful return value.
Is return value Pointer of i8042prt's DeviceObject? no, uncertainty.
It just a pointer Top of i8042prt's DeviceStack.
Let's tracking lower-level Object.
Tracking lower-level Object is undocumented, but here is solution.
lkd> !drvobj kbdclass
Driver object (82e12130) is for:
DriverKbdclass
Driver Extension List: (id , addr)
Device Object list:
82c6fb08 82d97600 <- /Device/KeyboardClass1, /Device/KeyboardClass0
lkd> !devobj 82d97600
Device object (82d97600) is for:
KeyboardClass0 DriverKbdclass DriverObject 82e12130
Current Irp 00000000 RefCount 1 Type 0000000b Flags 00002044
Dacl e101d164 DevExt 82d976b8 DevObjExt 82d97798
ExtensionFlags (0000000000)
AttachedTo (Lower) 82d977e8 Driveri8042prt <- here.
Device queue is not busy.
lkd> !devobj 82d977e8
Device object (82d977e8) is for:
Driveri8042prt DriverObject 82e119d0
Current Irp 00000000 RefCount 0 Type 00000027 Flags 00002004
DevExt 82d978a0 DevObjExt 82d97b30
ExtensionFlags (0000000000)
AttachedDevice (Upper) 82d97600 DriverKbdclass
AttachedTo (Lower) 82fa1900 DriverACPI
Device queue is not busy.
lkd> dt _DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr32 _DRIVER_OBJECT <- owner of this device object
+0x00c NextDevice : Ptr32 _DEVICE_OBJECT <- Upper-level Object
+0x010 AttachedDevice : Ptr32 _DEVICE_OBJECT <- Not this !!!
+0x014 CurrentIrp : Ptr32 _IRP
+0x018 Timer : Ptr32 _IO_TIMER
+0x01c Flags : Uint4B
+0x020 Characteristics : Uint4B
+0x024 Vpb : Ptr32 _VPB
+0x028 DeviceExtension : Ptr32 Void
+0x02c DeviceType : Uint4B
+0x030 StackSize : Char
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : Uint4B
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : Uint4B
+0x098 SecurityDescriptor : Ptr32 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : Uint2B
+0x0ae Spare1 : Uint2B
+0x0b0 DeviceObjectExtension : Ptr32 _DEVOBJ_EXTENSION <- lower-level Object's Pointer in here.
+0x0b4 Reserved : Ptr32 Void
lkd> dt _DEVOBJ_EXTENSION
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 DeviceObject : Ptr32 _DEVICE_OBJECT <- this device object
+0x008 PowerFlags : Uint4B
+0x00c Dope : Ptr32 _DEVICE_OBJECT_POWER_EXTENSION
+0x010 ExtensionFlags : Uint4B
+0x014 DeviceNode : Ptr32 Void
+0x018 AttachedTo : Ptr32 _DEVICE_OBJECT <- !! It points Lower-level Device Object in
the Stack!
+0x01c StartIoCount : Int4B
+0x020 StartIoKey : Int4B
+0x024 StartIoFlags : Uint4B
+0x028 Vpb : Ptr32 _VPB
First, Get Topstack DeviceObject using IoGetDeviceObjectPointer.
And Scan-down using AttachedTo field in the _DEVOBJ_EXTENSION.
but How am i know current Pointer is i8042prt or not?
i8042prt's DeviceObject->Type field is FILE_DEVICE_8042_PORT ServiceRoutine;
KeyboardInterruptObject->ServiceRoutine = NewKeyboardHandler;
void NewKeyboardHandler(void)
{
..
some processing what you want.. (ex. read 0x60 port)
..
_asm jmp dword ptr [BackupHandler]
}
That's all about Keyboard Interrupt Hook safely using KINTERRUPT.
Have fun!
