Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure

This report analyzes hotkey-based keyloggers that hijack RegisterHotKey to capture keystrokes stealthily, demonstrates a Proof-of-Concept (Hotkeyz), and presents a kernel-mode detection method that inspects an undocumented win32k hash table (gphkHashTable) to enumerate registered hotkeys and identify keylogger activity; the authors provide a driver-based detector and publish code and a demo video.