Processing Interrupts in Real Mode In real mode, the lower 1K of memory contains a data structure known as an interrupt vector table (IVT). There are nominally 256 entries in this table. (Starting from 80286, for IVT it is not necessary to have 256 entries or start from the physical address 0. The base and address length of the IWT are determined by looking at the data register of the descriptor table I ** **.) Each entry contains a distant pointer to the interrupt service routine. Any type of interrupt routes into the appropriate interrupt routine through this table. The processor indexes the interrupt number in this table; pushes current CS, IP and flags onto the stack; and calls the far pointer specified in IVT. The handler processes the interrupt and then executes the IRET instruction to return control to the place where the processor was executed during the interrupt.
Handling Interrupts in Protected Mode In protected mode, interrupts are processed similarly to the real mode. The Interrupt Descriptor Table (IDT) does what IVT does in real mode. The IDT consists of an array of 8-byte segment descriptors called gates. The Interrupt Descriptor Table Register (IDTR) contains the base address and IDT limit. An IDT must exist in physical memory and should never be replaced by virtual memory. This is because if an interrupt should occur when the IDT has been replaced, the processor throws an exception, requiring the IDT to receive a handler to handle this exception, and so on, until the system crashes. The gateway to the IDT can consist of three types: intermittent gates, traps and task gates. We will not dwell on the details of traps and tasks. See the Intel processor documentation for more information.
http://www.reverse-engineering.info/SystemHooking/hooksoft.htm