Is There A Way To Detect A Key Logging Software?

Question

I might write a program to detect malicious (or non-malicious) software that is key logging (logging key strokes to gain information).

1. What tactics would be used?
   • Is there certain code to look for?
   • Are there certain locations I should search?
2. I prefer Java or Perl as I am fluent in those languages
   • Would these languages work?
   • Is there a better language to use for this case?
3. What would be used?
   • Code?
   • Algorithms?
   • Function?

Answer 1

I think it depends on what you are attempting to do. If you are looking for known keylogging programs, you could use any software that can search the file system to view file signatures. However, it sounds like you want to detect unknown programs. I do not believe this is strictly possible. Keylogging applications can passively listen to the keystrokes so there is not an active signature you could look for. It would probably be easier to understand the software that is supposed to run on your computer and then detect any new software that starts to run. It wouldn't necessarily be keystroke logging software, but it would be unauthorized software (or at least yet to be authorized software).

Keystrokes are broadcast to the system as events that you can subscribe to in your application. This is how games and other programs use the keyboard input. The entire system knows when a key is hit and which key it was. You can't know who is listening.

To put it another way, if this were possible, it would kill software keystroke loggers since every anti-virus and anti-spyware application would have an option to detect and remove all of these types of software. They have an option similar to this, but it is based upon known signatures of known keystroke loggers.

Answer 2

As a program trying just to figure if it's input is being key-logged, for badly written key-loggers, you can look for some time-patterns, like periodic delays when the logger recycle buffers, but normally key-loggers are very well-written and will inject themselves in the driver chain and so will be indiscernible from the normal chain.

In that case the only hope to detect key-loggers is to inspect the driver chain looking for non-standard drivers (but some key-loggers can infect standard drivers) which isn't particularly easy in Windows-land (such low level inspection).

One would need to plug into the anti-virus/anti-malware hooks to be able to really access not only the driver chain definitions, but the real code being executed, to detect if some key-logging is takeing place, and that is hard, full of bureaucracy, and almost undoable in anything but C/C++