Detecting keylogger virus by monitoring keyboard driver stack

Abstract

This work is devoted to design and implement a software to monitor keyboard driver stack for any illegal
embedding of malicious filter driver. Filter drivers is the effective tool used by keylogger software to record user
keystrokes. Recording keystrokes is a very hostile action and it is mostly done by viruses.
Enumerating the size of the drivers stack dedicated for the keyboard device and the location of upper most
filter driver. A filter driver is designed along this paper using Microsoft Driver Development Kit (DDK) 2003, this
filter driver is going to be attached to the keyboard driver stack to be the upper most keyboard filter driver. Another
user level program is designed to interact with the filter driver. When Windows I/O manager will send Input/Output
Request Packet (IRP) the filter driver will intercept that packet and send back to the user level program specially
designed along this paper. The stack depth and stack location will be retrieved from IRP sent by the filter driver