I've been thinking of 3 possible implementations, but I still can't see it all the way to the end. Maybe you can help me out with this:
1st idea is keeping a copy to the original system calls, and then, whenever the user runs the anti-keylooger, compare the original copy of the functions and the copy currently used. In case of a difference between the copies, it might be that there is a keylogger in the system. My problems with these options are: 1. assuming I'm keeping my original copy as a module, how do I let the antikeylogger use it? 2. how to compare between the 2 copies?
2nd idea: measuring the time it takes to perform a write operation, assuming when a keylogger is in the system it will take more clock cycles to write. problems: how can I keep the "usual" number of clock cycles?
3rd idea: maybe I can use interrupts to trace keyloggers planted in my system. I don't like this idea....
Can you help me with those ideas?