1. Technical Field of the Invention
The present invention relates generally to computer systems, and deals more particularly with detection of keyboard logging.
2. Background Art
Keyboard loggers (also referred to as keystroke sniffers, or sniffers, or spyware) are known today to log or record keystrokes entered by a user, and to transmit the keystroke information to a third party. The keystrokes may reveal valuable or confidential information such as a user ID and password, confidential financial information or confidential technical information. The user ID and password can later be used to access sensitive records.
A variety of mechanisms exist, such as email attachments (images or text), remotely executable malware, or malicious URLs that can install a keyboard logger without alerting the user that this has occurred. The user remains unaware that a keyboard logger has been installed until too late.
There are contemporary cases of keyboard logger attacks that have led to significant losses to the user or the company of the user.
Keyboard loggers take advantage of operating system “hooks” that allow additional code to be run. When “hooked” code runs, the keyboard logger code executes and then returns to the normal operating system code so the operating system appears to be working normally. In the case of a keyboard logger hook integrated into a normal keystroke processing, the keyboard logger code reads the keystroke and saves or transmits the keystroke, then passes control to the normal operating system call. Because of the speed of the hook routines, the user does not usually know that his or her keystroke has been logged by the keyboard logger.
To be successful, a keyboard logger has two critical tasks to perform beyond the obvious interception of a keystroke. First, the keyboard logger must hide itself. All modern operating systems possess one or more tools to list out the kernel's process table. If the keyboard logger process is recognizable in a process table list, then detection is trivial. As a result of these tools, keyboard loggers disguise their presence in some fashion. Keyboard loggers may exploit a bug or feature to be a hidden process, such as a process name of “” (empty string). Keyboard loggers may also masquerade as a known legitimate process.
The second critical task that a keyboard logger must perform is transmitting the keystroke data to another party. This can be done in some batch fashion (storing keystrokes to an obscure file on disk for later pickup), or transmitting each keystroke in real time over a network connection.
In modern operating system kernels, applications such as a keyboard logger must use the syscall interface to gain the access needed from the kernel, and cannot directly access the keyboard interface hardware (or any other hardware).
Three principle activities of a keyboard logger are:                1) Receipt of keystroke events.        2) Hiding the presence of a keyboard logger when the process table is examined.        3) Storing/transmitting the keystroke data (to/for another party).        
Many applications have legitimate needs for keystroke event notifications. So, the first approach isn't a very reliable way to detect a keyboard logger. Consider the case of the “poor man's” editor (example for Microsoft shell).
$ type > poormans.txthello world{circumflex over ( )}ZThe keystrokes match the text saved to a file. This is classical keyboard logger behavior, except, this really isn't a keyboard logger, but a legitimate use of the computer. So, some other checks need to be added before concluding that a keyboard logger has been found.