Interesting Keylogger Detection Algorithm

Keyloggers are malicious desktop applications which fall under the Spyware cateogry that continously monitor a user’s keystrokes and mouse clicks and then send this information back to the malicious user. This can happen via email or to a malicious user’s server somewhere on the Internet. 

As per Security Focus, Keyloggers can be described under the following categories

a.) Hardware Keyloggers. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time — however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords. 


Hardware Keylogger : Keyshark

b.) Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.

c.) Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

A few days back i was asked to talk about Keyloggers to a group of enthusiasts, most of whom were Students of a local university. As always, i wanted to talk about a lot of things and started with what a keylogger is and ended by giving them some interesting pointers for further reading. However, one question which someone from the audience asked and made me think about was 

” What in your opinion is the best algorithm to handle a keylogging detection application?”

Well, the answer till date has always been around the two kinds of approaches used for handling key-loggers:

a.) Signature based anti-keylogger. These are applications that typically identify a keylogger based on the files or DLLs that it installs, and the registry entries that it makes. Although it successfully identifies known keyloggers, it fails to identify a keylogger whose signature is not stored in its database. Some anti-spyware applications use this approach, with varying degrees of success. Most of the anti-virus softwares detect Keylogger application based on this approach.

b.) Hook based anti-keyloggers. A hook process in Windows uses the function SetWindowsHookEx(), the same function that hook based keyloggers use. This is used to monitor the system for certain types of events, for instance a keypress/mouse-click — however, hook based anti-keyloggers block this passing of control from one hook procedure to another. This results in the keylogging software generating no logs at all of the keystroke capture. Although hook based anti-keyloggers are better than signature based anti-keyloggers, note that they still are incapable of stopping kernel-based keyloggers.

Interstingly, KL-Detector the latest in the breed of Keylogger Detection software uses a different technique and seems like an interesting approach too…

It works by scanning your local hard disk for any log file created during the monitoring process. Most keyloggers will eventually save the recorded data into a location in the hard disk. KL-Detector will inform you of such log file. This way, the program can detect all keyloggers, both known and unknown.

So how can someone prevent himself/herself from landing into getting his/her keys logged by a spyware application i.e. a keylogging application

1.) In this age of Information technology, nothing beats Education. Keep yourself Educated about the kind of softwares you install on your computer.  Know what software runs when you startup your PC.

2.) Install a good Antivirus software.  If you cannot afford a paid Antivirus software, install one of the 3 Best Free Antivirus Software.

3.) Whenever possible, use the virtual keyboard provided by Windows. If you are not aware of the virtual keyboard provided by Windows, learn about it on my previous post on Using Virtual Keyboard

4.) Get a good Anti-spyware application. You can choose from one of these.

5.) Always have the latest patches installed for your Operating System. If you use Windows, you can control the way updates are installed on your PC.

Also read: Understanding NULL Session Attacks

[How-To] Find out the location of person using your Wireless network

Is your DNS patched against the recent Vulnerability?

When did you last boot your PC?


You can follow me on Twitter at

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.




3 Responses

  1. […] Read the entire post on an Interesting Keylogger Detection algorithm on Technofriends. […]

  2. […] Go to the author’s original blog: Interesting Keylogger Detection Algorithm […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: