Interrupts
Interrupts are a crucial part of any computational system. All external hardware must
communicate with the CPU to initiate input and output operations. A subversive program may
want to sniff or alter these input/output operations. This may be useful for providing stealth,
• Table of Contents
setting up covert channels, or simply eavesdropping on a conversation.
•Index
Exploiting Software How to Break Code
IntelByGr g HoglundInterrupt,Gary McGrawRequest (IRQ) Architecture
Publisher: Addison Wesley
On a typical Intel or look-alike motherboard, the IRQ for the keyboard controller chip is IRQ 1
(therePub Date:are aFebrutotalryof17,162004IRQs). IRQ means interrupt request. Older systems allow the user to
set theISBN:IRQ0number-201-78695for-8 peripherals manually. Systems that use Plug n Play configure this
informationP ges: 512manually as well. Here is a table of IRQs (available from http://webopedia.com):
IRQ 0 System timer
This interrupt is reserved for the internal system timer. It is never How does software break? How do attackers make software break on purpose? Why are
available to peripherals or other devices.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|
What tools can be used to break software? This book provides the answers. |
|
IRQ 1 |
Keyboard |
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and This interrupt is reserved for the keyboard controller. Even on
techniques used by bad guys to |
software. If you want to protect your software from |
|
|
devices withoutbreakkeyboard, this interrupt is exclusively for |
|
attack, you must first le n how real attacks are really carried out. |
||
|
keyboard input. |
|
IRQ 2 |
Cascade interrupt for IRQs 8–15 |
|
This must-have book may shock you—and it will certainly educate you.Getting beyond the |
||
script kiddie treatment found in many hacking books, you will learn about |
||
|
This interrupt cascades the second interrupt controller to the first. |
|
IRQ 3 |
Second serial port (COM2) |
|
Why software exploit will continue to be a serious problem
The interrupt for the second serial port and often the default 
When network security mechanisms do not work
interrupt for the fourth serial port (COM4).
Attack patterns
First serial port (COM1)
IRQ 4
Reverse engineering
This interrupt is normally used for the first serial port. On devices
that do not use a PS/2 mouse, this interrupt is almost always used 
Classic attacks against server software
by the serial mouse. This is also the default interrupt for the third
serial port (COM3). Surprising attacks against client software
IRQ 5 Sound card
Techniques for crafting malicious input
This interrupt is the first choice that most sound cards make when
The technical details of buffer overflows looking for an IRQ setting.
Rootkits |
Floppy disk controller |
IRQ 6 |
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break This interrupt is reserved for the floppy disk controller.
software. |
First parallel port |
IRQ 7 |
This interrupt is normally reserved for the use of the printer. If a
printer is not being used, this interrupt can be used for other
devices that use parallel ports.
Why softwareanotherexploitpurposewill continue. to be a serious problem
Reverse engineering
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
How does software break? How do attackers make software break on purpose? Why are
The Mystery of the Programmable Interrupt Controller (PIC)
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
If you have ever worked with interrupt hooks, you will realize that the IRQ numbers assigned
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and to hardware do not directly map to the interrupt descriptor table. For example, the IRQ for
techniques used by bad guys to break software. If you want to protect your software from the keyboard hardware is IRQ 1. But, interrupt 1 is not the keyboard! How can this be?
attack, you must first learn how real attacks are really carried out.
Clearly there is a translation occurring between the hardware IRQs and the interrupt vectors
stored in the interrupt descriptor table. The secret lies in the PIC. On most motherboards this
This must-have book may shock you—and it will certainly educate you.Getting beyond the will be an Intel 8259 or compatible chip. The 8259 can be programmed to map the IRQ
script kiddie treatment found in many hacking books, you will learn about
numbers to software interrupts. This means the hard-wired IRQ lines enter one side of the 8259, and a single interrupt line comes out the other side. The 8259 handles the conversion
to a software interrupt and informs the CPU that a given software interrupt has occurred. 
Why software exploit will continue to be a serious problem
There are typically 16 hardware interrupt lines handled by the 8259. By default, most BIOS
When network security mechanisms do not work
software will program the 8259 on boot to map IRQs 0–7 to software interrupts 8–15. Thus,
IRQ 1 for the keyboard is handled as interrupt 8. Thus the mystery of IRQ to interrupt is Attack patterns
solved.
Reverse engineering
Under Windows NT/2000/XP you will find that the old int-9 hook doesn't work for the
keyboard. The reason is that the 8259 has been reprogrammed by Windows to map IRQ Classic attacks against server software
0–15 to software interrupts 0x30–0x3F. Thus, to hook the keyboard interrupt under Windows you needSurprisingto hookattacksinterruptagainst0x31client. A secondftwaremystery solved.
You can,Techniquesof course,forreprogramcrafting maliciousthe 8259inputyourself. We now present some additional stealth tricks for a rootkit driver. The following code snippet illustrates reprogramming the 8259 so that IRQThe0technical–7 are mappeddetails toof buffersoftwareoverflowsinterrupts 20h–27h:
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
mov |
al, 11h |
Howout does20h,softwareal break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Whatout toolsA0h,canalbe used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and |
||
mov |
al, 20h |
; starting interrupt number 20h |
techniques used by bad guys to break software. If you want to protect your software from |
||
attack, you must first learn how real attacks are really carried out. |
||
out |
21h, al |
; 21h for IRQ 0-7 |
This must-have book may shock you—and it will certainly educate you.Getting beyond the mov al, 28h ; starting interrupt number 28h
script kiddie treatment found in many hacking books, you will learn about
out |
A1h, al |
; A1h for IRQ 8-15 |
mov |
Why software exploit will continue to be a serious problem |
|
al, 04h |
|
|
out |
When network security mechanisms do not work |
|
21h, al |
|
|
mov |
Attack patterns |
|
al, 02h |
|
|
out |
Reverse engineering |
|
A1h, al |
|
|
mov |
Classic attacks against server software |
|
al, 01h |
|
|
|
Surprising attacks against client software |
|
out |
21h, al |
|
|
Techniques for crafting malicious input |
|
out |
A1h, al |
|
|
The technical details of buffer overflows |
|
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.