|
http://www.rootkit.com/newsread.php?newsid=782 Featured Article: Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection by DiabloNovax86  By: chpiex86 Limit trap - Keyboard Interrupt Hookx86 Architecture says if an Interrupt vector beyonds the Limit of IDTR, #General Protection fault is raised. Then swapping our handler with the #GP Handler, We can monitoring every interrupts on the system. there will be an bottle-neck situation created, every interrupt is our own. :) Essential Point is it includes the Keyboard interrupt... - Sequence - 1. Hook #GP(vector 0xD) to our handler 2. cli 3. sidt 4. Modify the limit by 0xFF // only 0 to 31 are allowed. // if it isn't, may the Double fault exception raised, // #DF cause #DF, it will be a Dead-lock. 5. lidt 6. sti 7. Have fun. src and binaries are on my vault http://www.rootkit.com/vault/chpie/x86_LimitTrap.zip ps. KOREAN keyboard hooking forum is available http://cafe.naver.com/inphook.cafe
|
