A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #15930  by _Lynn
 Tue Oct 09, 2012 2:01 pm
this is on a windows 7 system. obvious we using apic here and not 8259 PIC. can confirm this by checking port 0xa1.

questions here are:

-how are these retrieved.
-are they valid?

IRQ0 would obviously conflict with trap exception for intel's int 0, unless possible to remap the vector offset with an apic as it is possible with PIC?

thanks. sorry - my english is rough still.

Image
Attachments
Untitled.png
Untitled.png (54.3 KiB) Viewed 629 times
 #15939  by SomeUnusedName
 Wed Oct 10, 2012 2:49 pm
I'm not sure I understand your problem, but hardware interrupts != software interrupts, read: IRQ0 != int 0 so they don't really conflict.

Edit:

I was curious myself, this might help: http://www.osdever.net/tutorials/irqs.php Look at the table there.
IRQs don't equal interrupts. The (A)PIC is responsible for reading the IRQs and telling the CPU what interrupt that
equals to. You can for example see that IRQ0 would trigger an int 8 in this table.

In general, you will notice the table there doesn't use any interrupt < 8, so no conflict with int 3 (0xCC) for example either.

Edit2:

I actually would like to know more as well. It seems like I don't know enough to properly Google for it. How can I lookup the IRQ->Interrupt table? Is it fixed? I'd say no because it's an "Advanced _Programmable_ Interrupt Controller" so I guess it's not fixed. Could anyone shed some light on the whole thing?
 #15951  by _Lynn
 Thu Oct 11, 2012 12:20 pm
you see that where i got lost too hehe. :D im just so shitty english i have a hard time explain lol.

This is why the 80259 PIC provided a method of setting the vector offset, because it conflict with Intel interrupts 0-0xf which are reserved which they admit is IBM design mistake. so common method using port i/o is to set a new vector offset somewhere higher for instance 0x70

only problem i don't see is how to do this with local APIC, unless must be done with PIC? i understand this isn't osdev however would like to know how msinfo32 retrieves this info.
 #15956  by Vrtule
 Thu Oct 11, 2012 9:23 pm
Hello,

If I remember correctly, interrupts can be remapped. Some communication with APIC is required (I think it is I/O port 0x20 or 0x21). I seen a code doing this thing inside either Exploting Software book (Hoglund, ...), or Rootkits: Subverting the Windows Kernel book (Hoglund, Butler).

I suppose the IRQ-Interrupt table is sotred inside (local?) APIC and is cached somewhere by the operating system.
 #16234  by everdox
 Tue Oct 23, 2012 6:08 pm
Vrtule wrote:Hello,

If I remember correctly, interrupts can be remapped. Some communication with APIC is required (I think it is I/O port 0x20 or 0x21). I seen a code doing this thing inside either Exploting Software book (Hoglund, ...), or Rootkits: Subverting the Windows Kernel book (Hoglund, Butler).

I suppose the IRQ-Interrupt table is sotred inside (local?) APIC and is cached somewhere by the operating system.

ports 0x20-21 are only for the legacy PIC. i doubt his machine is that old so who knows.

but anyways OP, your answer is to parse the MP tables. Get yourself a copy of the Multi-processor specification 1.4 from intel.