1

I've read that in some XP systems the keyboard interrupt is located at 0x31 in IDT, but the only way to know for sure is parsing hall.dll to see what vector is tied to IRQ 1. I've been searching on the internet more information about this and I've found this function:

ULONG HalGetInterruptVector(IN INTERFACE_TYPE  InterfaceType,
    IN ULONG  BusNumber,
    IN ULONG  BusInterruptLevel,
    IN ULONG  BusInterruptVector,
    OUT PKIRQL  Irql,
    OUT PKAFFINITY  Affinity
);

But it says that function is obsolete anyone know other way to get the interrupt vector tied to IRQ 1?.

Thanks guys!

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
Luis Rossell
  • 105
  • 11
  • Because I'm reading the book "Rootkits Subverting windows Kernel" by Greg Hoglund and there's an example but it doesn't explain how to get the vector. – Luis Rossell Mar 13 '12 at 20:34
  • 2
    Ok I'm answering myself I found this article here explains how to locate the interrupt I put the code here maybe someone is interested. The article is located at: http://www.eeye.com/eEyeDigitalSecurity/media/ResearchPapers/StepIntoTheRing.pdf?ext=.pdf – Luis Rossell Mar 13 '12 at 21:08
  • @LuisRossell the page not found, can you update it or write your solution please? – 3zcs Dec 19 '19 at 08:41

0 Answers0