Interrupt Descriptor Table - IDT

At a Glance
Interrupts could be thought of as notifications to the CPU that tells it that some event happened on the system. Classic examples of interrupts are hardware interrupts such as mouse button or keyboard key presses, network packet activity and hardware generated exceptions such as a division by zero or a breakpoint - interrupts 0x00 and 0x03 respectively
Once the CPU gets interrupted, it stops doing what it was doing and responds to the new interrupt 
CPU knows how to respond and what kernel routines to execute for the newly received interrupt by looking up Interrupt Service Routines (ISR) that are found in the Interrupt Descriptor Table (IDT)
IDT is a list of IDT descriptor entries which are 8 or 16 bytes in size depending on the architecture 
Pointer to IDT is stored in an IDTR register for each physical processor or in other words, each processor has its own IDTR register pointing to its own Interrupt Descriptor Table
Offsets across different screenshots and windbg output may differ due to the fact that I rebooted the debugee a couple of times during the time these notes were taken.
The notes are based on debugging a kernel of a 64 bit Windows, running in a VM with 1 CPU.
IDT Location
We can check where the Interrupt Descriptor Table is located in kernel by reading the register IDTR:
r idtr
As noted later, the command !idt allows us to dump the Interrupt Descriptor Table contents and it also confirms that the IDT is located at fffff803`536dda00 as shown below:
idtr register contains the same value seen when dumping IDT with !idt
Dumping IDT
We can dump the IDT and see addresses of Interrupt Service Routines for a given interrupt. Below is a snippet of the Interrupt Descriptor Table:
kd> !idt
​
Dumping IDT: fffff80091456000
​
00:	fffff8008f37e100 nt!KiDivideErrorFaultShadow
01:	fffff8008f37e180 nt!KiDebugTrapOrFaultShadow	Stack = 0xFFFFF8009145A9E0
02:	fffff8008f37e200 nt!KiNmiInterruptShadow	Stack = 0xFFFFF8009145A7E0
03:	fffff8008f37e280 nt!KiBreakpointTrapShadow
...
90:	fffff8008f37f680 i8042prt!I8042MouseInterruptService (KINTERRUPT ffffd4816353e8c0)
a0:	fffff8008f37f700 i8042prt!I8042KeyboardInterruptService (KINTERRUPT ffffd4816353ea00)
...
Below shows the IDT dumping and ISR code execution in action:
IDT table is dumped with !idt
IRS entry point for the interrupt a0 is located at fffff8008f37f700
This is the routine that gets executed first inside the kernel when a keyboard event such as a keypress is registered on the OS 
Eventually, the routine i8042prt!I8042KeyboardInterruptService (inside the actual keyboard driver) is hit once the code at fffff8008f37f700 is finished
Putting a breakpoint on 
i8042prt!I8042KeyboardInterruptService
Once the breakpoint is set, a key is pressed on the OS login prompt and our breakpoint is hit, confirming that 
i8042prt!I8042KeyboardInterruptService indeed handles keyboard interrupts
Below is a heavily simplified diagram illustrating all of the above events taking place:
the keyboard interrupt 0xa0 occurs
IDT table using index 0x0a is looked up (IDT address + 0xa0 * 0x10) and the ISR Entry Point is resolved and code jumps to it
after some hoops, the code is eventually redirected to the keyboard driver where the interrupt gets handled in i8042prt!I8042KeyboardInterruptService
IDT Entry
IDT is made up of IDT entries _KIDTENTRY64 which is a kernel memory structure and is defined like so:
kd> dt nt!_KIDTENTRY64
   +0x000 OffsetLow        : Uint2B
   +0x002 Selector         : Uint2B
   +0x004 IstIndex         : Pos 0, 3 Bits
   +0x004 Reserved0        : Pos 3, 5 Bits
   +0x004 Type             : Pos 8, 5 Bits
   +0x004 Dpl              : Pos 13, 2 Bits
   +0x004 Present          : Pos 15, 1 Bit
   +0x006 OffsetMiddle     : Uint2B
   +0x008 OffsetHigh       : Uint4B
   +0x00c Reserved1        : Uint4B
   +0x000 Alignment        : Uint8B
Members OffsetLow, OffsetMiddle and OffsetHigh at offsets 0x000, 0x006 and 0x008 make up the virtual address in the kernel and it's where the code execution will be transferred to by the CPU once that particular interrupt takes place - in other words - this is the Interrupt Service Routine's (ISR) entry point.
IDT Entry for the Keyboard Interrupt 0xa0
As an example, let's inspect the IDT entry for the keyboard interrupt which is located at index a0 in the IDT table as discovered earlier:
!idt a0
From earlier, we also know that the IDT resides at fffff803536dd000:
kd> r idtr
idtr=fffff803536dd000
We can get the location of the a0 IDT entry by adding 0xa0*0x10 (interrupt index a0 times 0x10 since a descriptor entry is 16 bytes in size) to the IDT table address fffff803536dd000, which gives us fffff803`536dda00:
kd> dq idtr + (0xa0*0x10) L2
fffff803`536dda00  51568e00`0010e700 00000000`fffff803
With the above information, we can overlay the a0 interrupt descriptor entry with _KIDTENTRY64 and inspect a0 IDT entry's content:
kd> dt _kidtentry64 (idtr + (0xa0*0x10))
ntdll!_KIDTENTRY64
   +0x000 OffsetLow        : 0xe700
   +0x002 Selector         : 0x10
   +0x004 IstIndex         : 0y000
   +0x004 Reserved0        : 0y00000 (0)
   +0x004 Type             : 0y01110 (0xe)
   +0x004 Dpl              : 0y00
   +0x004 Present          : 0y1
   +0x006 OffsetMiddle     : 0x5156
   +0x008 OffsetHigh       : 0xfffff803
   +0x00c Reserved1        : 0
   +0x000 Alignment        : 0x51568e00`0010e700
ISR for the Keyboard Interrupt a0
Based on the above IDT entry for the keyboard interrupt, the below re-enforces that the combination of Offset(High|Middle|Low) form the virtual address of the Interrupt Service Routine (ISR) entry point - the code that will be executed when a0 interrupt is triggered by the keyboard:
Below shows the instructions at fffff803`5156e700 (ISR entry point) to be executed by the CPU once interrupt a0 is triggered:
FFFFFFFFFFFFFFA0 will be pushed on the stack 
jump to fffff803`5156ea40 will happen
...and eventually, the i8042prt!I8042KeyboardInterruptService will be hit and below confirms it - firstly, the breakpoint is hit for fffff803`5156e700 and i8042prt!I8042KeyboardInterruptService is hit immediately after:
_KINTERRUPT
_KINTERRUPT is a kernel memory structure that holds information about an interrupt. The key member of this structure for this lab is the member located at offset 0x18 - it's a pointer to the ServiceRoutine - the routine (inside the associated driver) that is responsible for actually handling the interrupt:
dt nt!_KINTERRUPT
   +0x000 Type             : Int2B
   +0x002 Size             : Int2B
   +0x008 InterruptListEntry : _LIST_ENTRY
   +0x018 ServiceRoutine   : Ptr64     unsigned char 
   ...
   +0x0f8 Padding          : [8] UChar
As an example - from earlier, we know that the ISR for keyboard interrupts is located at ffffd4816353ea00, therefore we can inspect the _KINTERRUPT structure of that our interrupt by overlaying it with memory contents at ffffd4816353ea00:
dt nt!_KINTERRUPT ffffd4816353ea00
This allows us to confirm that the ServiceRoutine is again pointing correctly to i8042prt!I8042KeyboardInterruptService inside the keyboard driver: 
Finding _KINTERRUPT
In order to manually find the location of _KINTERRUPT for a given interrupt, we need to leverage the following memory locations and structures.
Process Control Region or PCR (_KPCR memory structure in kernel) stores information about a given processor:
kd> dt _KPCR
ntdll!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 GdtBase          : Ptr64 _KGDTENTRY64
   +0x008 TssBase          : Ptr64 _KTSS64
   +0x010 UserRsp          : Uint8B
   +0x018 Self             : Ptr64 _KPCR
   +0x020 CurrentPrcb      : Ptr64 _KPRCB
   +0x028 LockArray        : Ptr64 _KSPIN_LOCK_QUEUE
   +0x030 Used_Self        : Ptr64 Void
   +0x038 IdtBase          : Ptr64 _KIDTENTRY64
   +0x040 Unused           : [2] Uint8B
   +0x050 Irql             : UChar
   +0x051 SecondLevelCacheAssociativity : UChar
   +0x052 ObsoleteNumber   : UChar
   +0x053 Fill0            : UChar
   +0x054 Unused0          : [3] Uint4B
   +0x060 MajorVersion     : Uint2B
   +0x062 MinorVersion     : Uint2B
   +0x064 StallScaleFactor : Uint4B
   +0x068 Unused1          : [3] Ptr64 Void
   +0x080 KernelReserved   : [15] Uint4B
   +0x0bc SecondLevelCacheSize : Uint4B
   +0x0c0 HalReserved      : [16] Uint4B
   +0x100 Unused2          : Uint4B
   +0x108 KdVersionBlock   : Ptr64 Void
   +0x110 Unused3          : Ptr64 Void
   +0x118 PcrAlign1        : [24] Uint4B
   +0x180 Prcb             : _KPRCB
_KPCR location can be found like this:
kd> ? @$pcr
Evaluate expression: -8781847822336 = fffff803`51148000
​
kd> !pcr
KPCR for Processor 0 at fffff80351148000:
    Major 1 Minor 1
	NtTib.ExceptionList: fffff803536dffb0
	    NtTib.StackBase: fffff803536de000
	   NtTib.StackLimit: 0000000000000000
...snip...
Inside the _KPCR, at offset 0x180 there is a member that points to a Process Control Block memory structure _KPRCB which contains information about the state of a processor.
The key member we're interested when trying to find the _KINTERRUPT memory location for a given interrupt is InterruptObject as it contains a list of pointers to a list of _KINTERRUPT objects.  InterrupObject is located at offset 0x2e80 as shown below:
kd> dt _KPRCB
ntdll!_KPRCB
   +0x000 MxCsr            : Uint4B
   +0x004 LegacyNumber     : UChar
   +0x005 ReservedMustBeZero : UChar
   ....
   +0x2e80 InterruptObject  : [256] Ptr64 Void //256 pointers max as noted earlier
   ....
With the above knowledge, we can now find the _KINTERRUPT location for the keyboard interrupt a0:
dt @$pcr nt!_KPCR Prcb.InterruptObject[a0]
Below confirms that the _KINTERRUPT for the interrupt a0 we found manually matches that given by the !idt command:
References
Code Injection and API Hooking Techniques
nagareshwar.securityxploded.com
Kernel Interrupt Overview - Linux.com
What is an interrupt? An interrupt is an event external to the currently executing program on the CPU e.g. a keyboard input or arrival of a network packet. When these events happen CPU is executing some random program which may be completely unrelated to the event. The hardware device associated with the event like keyboard […]
www.linux.com
Interrupt handler
In computer systems programming, an interrupt handler, also known as an interrupt service routine or ISR, is a special block of code associated with a specific interrupt condition. Interrupt handlers are initiated by hardware interrupts, software interrupt instructions, or software exceptions, and are used for implementing device drivers or transitions between protected modes of operation, such as system calls.
en.wikipedia.org
Hooking Series PART II: Interrupt Descriptor Table Hooking
H3ll0 ReLearEx-Nation, in the second part of my hooking series, I want to show how to hook the Interrupt Descriptor Table (IDT). The IDT is an array that is able to contain at most 256 descriptors.…
relearex.wordpress.com
Interrupt Descriptor Table - OSDev Wiki
wiki.osdev.org
CodeMachine - Interrupt Dispatching Internals
Interrupt Dispatching Internals
www.codemachine.com
Kernel Interrupt Overview - Linux.com
What is an interrupt? An interrupt is an event external to the currently executing program on the CPU e.g. a keyboard input or arrival of a network packet. When these events happen CPU is executing some random program which may be completely unrelated to the event. The hardware device associated with the event like keyboard […]
www.linux.com
Fooling Windows about its internal CPU - Sina & Shahriar's Blog
In this post, I’m gonna show you how you can fool windows about its internal structure and sometimes give it wrong information about its internal capabilities or internal information which can bring you a lot of fun. (At least for me !) But don’t do that it can hurt your system actually but this post is about how to change CPU Capacity measurement of Windows and see its result in user-mode programs. There is a good article here which gives you lots…
rayanfam.com
Hooking IDT
Download the code associated with this article by filling out the the form below.  Once we've already gained access to the system, we can use various
resources.infosecinstitute.com
System Service Descriptor Table - SSDT
Token Abuse for Privilege Escalation in Kernel
Last updated 1 year ago