Windows Keylogger Detection: Targeting Past & Present Keylogging Techniques- Asuka
Nullcon Goa 2025 · Main Stage
In this insightful Nullcon talk, Asuka Nakajima, a Senior Security Research Engineer at Elastic, delves into the persistent threat of keyloggers on Windows systems. The presentation meticulously dissects both traditional and emerging keylogging techniques, offering a dual-pronged approach to detection. Nakajima shares her team's experience in developing a behavior-based detection feature for an Endpoint Detection and Response (EDR) solution, focusing on API monitoring for common keylogger types, and then introduces a novel method for detecting a more stealthy "hotkey-based" keylogger.
AI review
Nakajima delivers two well-scoped contributions: a practical ETW-based detection framework for the common keylogger families, and a genuinely novel kernel-level detection method for hotkey-based keyloggers that required real reverse engineering work on undocumented Win32k internals. The gpHkHashTable discovery and the signature-chaining approach to locate it — xxxIsHotkey → IsHotkey → LEA instruction → table address — is exactly the kind of methodical, low-level work that earns conference time. Not a world-shaker, but solidly above the bar.