What Is a Keylogger: Types, Detection Methods, and Protective Measures

What Is a Keylogger?

A keylogger (short for keystroke logger) is a surveillance tool — hardware or software — that records every key pressed on a keyboard, typically without the user's knowledge or consent. The captured data is then stored locally or transmitted to an attacker, who can extract passwords, credit card numbers, personal messages, banking credentials, and any other information typed on the compromised device. Keyloggers are among the oldest and most persistent tools in a threat actor's arsenal, ranging from simple educational monitoring software (used legitimately for parental control or employee oversight with disclosure) to sophisticated malware deployed by cybercriminals and nation-state actors.

The term encompasses a broader category than just keyboard capture — modern keyloggers often also capture screenshots at intervals, clipboard contents, URLs visited, application usage, and microphone or camera feeds, earning them the classification of spyware or stalkerware depending on deployment context. Keyloggers have been discovered in major malware families including Zeus, Emotet, and various RATs (Remote Access Trojans).

Types of Keyloggers

Software Keyloggers

Software Type	Mechanism	Privilege Level Required
API-based keylogger	Hooks Windows API functions (SetWindowsHookEx with WH_KEYBOARD_LL) to intercept keystrokes at the application layer; processes all keystrokes system-wide	User-level; easiest to implement and detect
Form-grabbing keylogger	Hooks browser functions (NSS, WinInet, HttpSendRequest) to capture form data before it is encrypted for transmission; captures passwords even over HTTPS	User-level; evades network-based monitoring
Kernel-based keylogger	Installed as a device driver or kernel module; intercepts keystrokes at the lowest OS level before they reach applications; extremely difficult to detect or remove	Administrative/root; requires kernel-level access
Hypervisor-based keylogger	Operates below the OS at the hypervisor level; captures keystrokes by monitoring hardware I/O; essentially undetectable from within the compromised OS	Hypervisor (ring -1); sophisticated attack
Browser extension keylogger	Malicious browser extension reads form inputs and captures keystrokes within the browser context	Browser-level; distributed via extension stores
Acoustic keylogger	Uses machine learning to distinguish keystrokes by the acoustic signature of different keys; reconstructs typed text from audio recordings	Physical proximity or microphone access

Hardware Keyloggers

Hardware keyloggers are physical devices that intercept the signal between the keyboard and the computer:

Inline USB keylogger: A small device plugged between the keyboard's USB connector and the computer's USB port, storing keystrokes in internal memory (typically 2–16 MB). Invisible to the operating system — no software is installed. Retrieved by the attacker by physically re-accessing the device.
Wireless keyboard sniffer: Captures RF signals from wireless keyboards; older 27 MHz keyboards transmitted unencrypted; modern keyboards use AES encryption, but implementation flaws have been exploited (MouseJack vulnerability, 2016).
Keyboard firmware attack: Malicious firmware flashed onto the keyboard's microcontroller; essentially undetectable and persists through OS reinstalls.
Acoustic/electromagnetic keyloggers: Research-grade attacks — TEMPEST attacks use electromagnetic emanations from keyboards or monitors to reconstruct typed characters; acoustic analysis identifies key presses from sound.

How Keyloggers Are Distributed

Malware droppers: Delivered via phishing emails with malicious attachments (weaponized Office documents, PDFs exploiting document reader vulnerabilities, or macro-based downloaders)
Drive-by download: Visiting compromised or malicious websites that exploit browser or plugin vulnerabilities (Java, Flash — now deprecated) to silently install keyloggers
Trojanized software: Legitimate-looking software packages (games, utilities, cracked applications from unofficial sources) bundling keylogger payloads
Physical access: Hardware keyloggers require brief physical access to the target device
Insider deployment: Disgruntled employees or spies with physical access deploying monitoring software

How Keyloggers Evade Detection

Modern keylogger malware employs multiple evasion techniques:

Rootkit integration: Kernel-level rootkits hide keylogger processes, files, and registry entries from the operating system's own tools
Process injection: Injecting keystroke-capturing code into a legitimate process (explorer.exe, svchost.exe) makes the keylogger invisible in task lists
Living-off-the-land: Using built-in OS tools (PowerShell, WMI) to capture keystrokes or exfiltrate data reduces the malware footprint
Encrypted communications: Exfiltrating data over HTTPS to attacker-controlled servers blends with normal web traffic
Dormancy and trigger conditions: Some keyloggers activate only when specific applications (online banking, email) are in focus, capturing the most valuable data while minimizing activity that could trigger behavioral detection

Detection Methods

Detection Approach	Description	Effective Against
Antivirus/EDR signature detection	Matches known keylogger code patterns and hashes against threat databases	Known keylogger variants; ineffective against zero-days and polymorphic malware
Behavioral analysis (EDR)	Detects WH_KEYBOARD_LL hook registration, suspicious process injection, and anomalous keyboard API calls	API-based and process-injection keyloggers
Kernel integrity checks	Verifies kernel data structures for unauthorized modifications (DKOM detection)	Kernel-level keyloggers and rootkits
Physical inspection	Visual inspection of USB connections and ports for hardware devices	Hardware keyloggers (USB inline devices)
Anomalous network traffic analysis	Monitors outbound connections for data exfiltration patterns; unexpected HTTPS traffic to unknown destinations	Software keyloggers with remote exfiltration

Protective Measures

Password managers with auto-fill: Auto-fill injects credentials directly into form fields without keystrokes, bypassing API-based keyloggers (though not form-grabbing keyloggers)
Multi-factor authentication (MFA): Even if passwords are captured, TOTP codes expire in 30 seconds and hardware keys (FIDO2) require physical possession — dramatically reducing the value of stolen credentials
On-screen keyboards and virtual keyboards: Mouse-based input avoids hardware keyboard interception; some keyloggers also capture mouse input and screenshots, so this is a limited defense
Endpoint Detection and Response (EDR): Modern EDR solutions with behavioral analysis (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) detect keylogger behavior through hook monitoring and anomaly detection
OS hardening: Disable unnecessary services, enforce application allowlisting (only approved software can execute), use Secure Boot and UEFI firmware protection to prevent firmware-level attacks
Physical security: Tamper-evident seals on USB ports for high-security environments; hardware security modules (HSMs) for cryptographic keys rather than storing on the general OS
User awareness: Don't install software from unofficial sources; recognize phishing attempts; lock workstations when unattended in shared spaces

What Is a Keylogger: Types, Detection Methods, and Protective Measures