未公開のカーネルデータ構造を使ったホットキー型キーロガーの検知

This research article describes "hotkey" style keyloggers (demonstrated by the Hotkeyz PoC) which register many global hotkeys via RegisterHotKey to covertly capture keystrokes; it shows that ETW does not trace RegisterHotKey and proposes a kernel-mode detection method that locates and scans the undocumented gphkHashTable in win32kfull.sys to enumerate registered HOT_KEY objects, using a heuristic (count of registered alphanumeric keys) to detect keylogger activity; the author provides an implementation, GitHub repo, and a demo video.