You may want to ask what does it mean for a game to have a keylogger?
A game is usually supposed to capture what buttons you press and, if it's an online game, send that over the internet, and so that would be perfectly fine as long as that's done while the game is running - so perhaps you're asking whether the game installs some malware that captures keystrokes outside of the game as well.
That would be generally detected by looking for various malware persistence mechanisms, seeing if there's something that's started on startup, possibly in a hidden way; or if there's some process that hides its activity. And if so, then you could check whether it was placed there by that game.
On the other hand, some of the anti-cheat mechanisms are so invasive that they effectively are far more capable than just a keylogger, and the game is quite open about placing them on your machine, e.g. requiring permissions to install it as a privileged driver.
Game over right there. No matter what it does or doesn't do today, you never know what they'll push in the next update, or when ownership changes hands. I'd never run a game with admin rights.
I'm sure there are game devs that try to install rootkits for no good reason, but preventing cheating in multiplayer competitions can unfortunately be a legitimate reason to ask "Hey $customer, I need to take full control of your machine, and it can't be a VM".
You basically have three options:
- Cross your fingers and pray that the game company isn't going to do anything malicious to your machine
- Keep your gaming PC completely isolated from your private data
- Accept that you won't be able to play some competitive games, or the competitive modes of some games (eg. the default CounterStrike multiplayer runs with usermode anticheat, but competitive matchmakers like FaceIt require you to install a kernel-level anticheat)
Yes, it is an unfortunate reality. I was very pleased to discover that Valve's newly released Counter Strike 2 did not require the invasive type of anti-cheat software. On the other hand, it also seemed like some players I encountered were making shots that were too accurate for a human player. Maybe CS2 players are just that good...
My wish is that multiplayer games would have the option to play on servers with anti-cheat and servers without anti-cheat. If my memory serves correctly, that is kind of how Microsoft's Halo: Master Chief Collection is, at least when played on the Steam Deck. While I don't like the entire experience (e.g., having to use a MS account), at least optional anti-cheat is a plus.
FWIW I typically choose option 2 - keeping the gaming PC separate from anything important.
Video games with anti cheats don't normally run as admin. A service on windows is created by requesting admin once when installing the anti cheat, so that the service with a kernel driver can be loaded without admin.
Furthermore, it's funny when people cry about how kernel anticheats are invading their privacy. These anticheats are better secured and protected than 99% of the drivers for windows, which are FULL of kernel elevation exploits. Absolutely filled to brink. I could go into it more, but this thread isn't the place.
I've been playing PC games my whole life, but never with an internet connection. Yes sure I might miss out on some MMOs, but I see these mostly as toxic cesspools of enraged teen activity. Offline PC gaming is quiet, safe, and you know that no one is watching because they can't.
I think that if you really care about privacy and security then the simplest way to ensure that a game can't harm you is to avoid handling anything important on your gaming PC. If you think they might do something malicious, not having admin rights won't prevent that game from reading all your authentication credentials from your browser, for example.
- It might detect the sandbox and refuse to run the game
- If more seriously malicious, it might quietly escape the sandbox at first opportunity - say, a sandbox-escape exploit which the game provider obtains before the user can/does install the security patch
It didn't fly back then either, but it still happened. And if it was done for audio discs, which don't typically run executable code, I wouldn't be surprised to find it in games which ship executables.
Also, didn't zoom do something somewhat shady with admin permissions and self-updating? I'm not sure how you arrived at the conclusion that this couldn't happen today.
You're drawing in things from numerous other contexts that don't really apply.
My claim was simple. If it's a game from a big studio, it won't have a keylogger. This is simply true and has been true for a long time. If that changes, we will hear about it.
> My claim was simple. If it's a game from a big studio, it won't have a keylogger.
Your "claim" is actually a prediction, and I would bet against it with a less-vague definition of "big" and a long enough time period. It's certainly not a fact, which is how you present it.
To enable a keylogger is exceptionally easy with native applications: Windows has SetWindowsHookEx(WH_KEYBOARD_LL...
The problem is to follow the focus of the windows and parse out relevant information to send because logging all presses will be to obvious if you read memory or disk.
Then you need to encrypt the data before you send it over the network, this is probably why all modern anti-viruses block all native HTTP traffic.
The scary part is that the Windows API allows for a process to gather all keypresses even when the app window has lost focus?!
To answer the question: open the exe in any text editor and search for SetWindowsHookEx... if it's there you know that exe can listen to everything.
I think if I were concerned, I'd try creating a honeypot account on some service that notifies me when someone new logs in (like google). Then I'd log into that account sometimes while playing the game and monitor it for any new logins. It still could have a keylogger even after all that, though.
That's upsetting! I got 3 alerts so far within the last 5 months about suspicious logins (from Twitter, Facebook & Google). I was dismissing it telling myself I am being paranoid. Now I think my employer itself is spying on me?
The first alert was from Twitter. I am an H1B from India employed by a WITCH type Indian company working for an US client (probably top 3 in the world in what they do). One day, I saw some Twitter posts about how greencards for Indians would take decades or even 100 years. I was talking about this to a colleague on client's Microsoft Teams. Just as I mentioned this, teams got disconnected. Later that day, was talking to another colleague through same teams about same topic, again got disconnected. I thought it was odd, but dismissed. Then around 9 pm same day, I get an alert from Twitter that they prevented a suspicious login from an IP address in US.
4 weeks ago, I was talking about how my WITCH company manager is not letting anyone take vacation (from Sep-Dec, they are not letting any one take vacation unless absolutely necessary) to another colleague, through client's teams. 3 days later, I get an alert from Facebook that someone accessed by account, this time from Turkey.
Then 1 week later, got an email from Google with a security code that someone had requested for accessing the same Google account.
Don't know if I should just pack up and leave US at this point, lol!
First, why are you accessing personal accounts on a company computer? That's reckless all by itself. Your personal information is up for discovery if the company gets into any legal problems. Keep your professional and personal computer uses separate. There's absolutely zero reason you need to be logged in to your personal Facebook and Twitter accounts at work.
Second, Twitter, Facebook and Google all provide enhanced account security options like Passkeys and MFA and it's clear you're not using them. Turn them on (and using your personal devices, not your work provided items) and your employer or any other random hacker is going to have a substantially harder time accessing your accounts.
If the accusation is against the employer, how would anyone at the employer know anything about their account details for personal websites otherwise? The Teams chat snooping is possible and even above-board but it's very unlikely they're chasing down and using your Facebook and Twitter credentials as part of any official company policy or action that's not being disclosed.
I'm not a lawyer but I don't think they have legal grounds to access an employee's personal accounts even if they have captured the credentials over their property. Accessing a third-party computer without authorization (i.e. accessing Facebook using someone else's credentials without permission and just discovered on company networks and/or hardware through normal logging and monitor) is likely a violation of the Computer Fraud and Abuse Act in the US. A company has rights to read any and all data stored on their property but conditions have to be met before they could use that information for any purpose (i.e. a judge orders it because a lawsuit is in progress because you're sending company secrets through personal accounts or something).
I would enable cryptographic 2FA on all of my accounts where it is possible and run the 2FA on a discrete device (token dongle or an old phone with wifi and Bluetooth off, no sim)
I made a FB account to change a client's Page settings, and now I pretty regularly get emails from FB along the lines of "Having trouble signing into your account?" because there's been tons of failed repeated logins. I think it might just be a normal part of having a FB account? Can't speak for the other services.
What would your employer's motive for spying on you be?
Might an external attacker be interested in the work you're doing for the client? For example, are you working with cryptocurrency? Countries like North Korea like to steal that stuff for sanctions busting.
If I were you I would bring this up with your boss. If that conversation leads you to believe that your employer is trying to hack you, I would probably quit. Otherwise your employer should know; this could be a good time to invest in countermeasures against an external attacker.
Sorry, the assumption I left out is that whoever is running the keylogger would see you logging into a "valuable" account during their logging and then try to access it. Since it'd be a new account with nothing on it, there's nothing for the attacker to really compromise, but you could get a notification letting you know someone new logged in, which would let you know that someone successfully captured you logging in.
If you're talking about Windows here, then you could write some code that intercepts the system calls used by common keyloggers (GetAsyncKeyState, SetWindowsHookEx with WH_KEYBOARD / WH_KEYBOARD_LL, etc) using hooking, an instrumentartion callback, or ideally a kernel-mode driver, then warns you if the game is trying to use them. Normal software should only really need to use the keyboard messages passed to its WndProc, which only receives them if it's in the foreground. So while there can be legitimate reasons for a game to call them, it's a good sign that something is fishy. This is not fool-proof though, as there are other methods to get system-wide keyboard input, but this would catch the simple ones.
intercept network traffic and inspect it.
then conduct experiments to validate your hypothesis.
if the program only doing it when requested by a remote source or some other more complex logic it's gonna be harder, you'll maybe need to reverse their communication protocol and inject network messages sent to the client to make it look like the server asked for that info. but if you reverse engineered the network protocol you don't need to listen to begin with.
so keep listen to the traffic for an extended period of time and look for suspicious activity.
This is practically impossible, given that the game likely sends a binary delta-compression of game-state, and so unless you entirely and accurately reverse-engineer all associated data structures and the protocol, you have no way of telling if the game is also siphoning sensitive data out (for instance, let's say there's some variable which is server-side determinable, but the variable is sent, but XORed with the data we want to extract, before being compressed and sent, then unless you understand this variable well enough to argue at any time in the traffic stream what its correct value should be, there's no way to know) there is so many ways of hiding this data that unless you do some full trace and reverse engnieering of the entire machine state, yea, no. Especially since a game is anyhow meant to receive keyboard events, at least while active.
A plausible way would be to determine which processes are becoming active when input events occur, if the unfocused game is one of them (good luck actually determining this!) then you can at least say it's possible, but not even then, if anything actually happens to the intercepted data or if it's just bad implementation.
yes I agree,
reverse engineering is part of the endeavor (to understand the protocol, and the content of the messages).
almost all game have bots and bot developers go through this step, so you can save some time if you find the right forums/communities for your game where they share this kind of info among each other.
this simple inspection can at least help you weed out simpler attempts. but can't guarantee that the game is clean.
as sibling comments pointed out, these days with anti-cheat mechanism being so intrusive that they have kernel level access to your computer with some even having the kernel driver running even when the game is not running. I think that was the case for genshin impact and valorant. genshin's anti-cheat apparently was even hacked to be used by ransomware at some point in the past.
games with kernel access can do so much more than just being a keylogger, they can own your computer, listen to the traffic on you network.
it's best to treat all of them as compromised super-viruses you willingly decided to install on your computer.
buy a separate computer that act as a console, isolated from the rest of your network and do nothing but gaming in it. or just don't play them.
Others have already said that in Windows the most straightforward way to make a keylogger is to use hooks.
But how do you know if there is one installed?
Hooks are chained, so you can traverse the chain and enumerate them. This thread in Stack Overflow is about that. I haven't tried the solution, but seems legit :)
Yes. But not a universal or easy way. You can't "tell" in the sense that you would just run MagicKeyloggerFinder on your computer and it will show you all the keyloggers, that's not how it works. In essence, it's the absence of evidence problem.
In a way, unless you can prove the machine code running on your CPU is not doing key logging (which is separate from recoding those logs or transmitting those logs), and you can also prove that the code is not changing, you have no evidence that there is no keylogger.
As for games and keyboards in general: games need to read your keyboard to function, so they will always be able to read what you're typing. In some operating system, that includes times where you might be running the game in the background.
There should be some Godwin’s law equivalent here that states that all forms of this discussion will lead to Ken Thompson’s “Reflections on Trusting Trust” within some number of replies.
First ask yourself what you're defending and from whom; is the data you are producing even worth anything to anyone? If the answer is no, risk does not exist and no defense is needed.
If you're producing something of perceived value, then you need to consider who might be interested in and what means or length they'll go through to get it. This practice is known as threat modeling and is the only meaningful way to get "security" without wasting resources.
When you threat model often, you come to realize almost all attackers are financially motivated and bound by market constraints, which means they're looking for the highest reward for the least amount of work; very few are looking to do anything else with your data other than to use it for quick monetary gain.
So? Let them eat cake. Leave a small amount of canary crypto-currency unprotected in your home directory. Set up a public ledger alert and if that currency is transfered, you know you've been compromised, by a keylogger or something else. It's very unlikely your keystrokes are worth any more than this.
As others have said, it's basically impossible to determine outside of some specific cases. Like, imagine if the keystroke data was being sent on its own to a unique endpoint; or a single player game that was sending only keystroke data to a remote server and little else.
This is tangential, but for all the flack Wayland gets compared to X11, it does at least provide some reassurance that a program can only easily keylog the stuff you enter into that program.
Look for processes running on your machine. If you don't see any suspicious process except the game itself (and the game's process or or processes are running only while you're playing) then only the game itself could be logging your keystrokes. Which means that, if while the game is running you don't type sensitive information, you're safe.
Use known strings in the app and start dumping and scanning the memory. Check for any files on disk that grow as you type. Use a debugger and tools like CheatEngine to start investigating specific components of the app. Use a packet sniffer to determine how much data is being siphoned off the app and into a remote server.
That depends if it is a hardware or software keylogger. I have several hardware keyloggers that go inline with the USB keyboard and a couple that are the keyboard. The keylogger keyboards can not be detected by anything beyond recognizing the model but they use very cheap generic keyboards.
I will defer to the rest of the comments for software as it is already being covered.
the only way is with deliberately feeding the system honeypot accounts where account activity is recorded, but even then it's only a tentative negative response ; it could just represent the time it takes for the data to be sold or otherwise perused.
there are a few games out there that have this reputation-- third-party-ran nostalgic MMO private servers are a big example. the only defense that makes much sense is to virtualize that software and keep it away from sensitive data.
A virus checker is incredibly unlikely to flag a commercial game, even if the game does in fact contain malware. Virus companies whitelist binaries from commercial entities every day.
A game is usually supposed to capture what buttons you press and, if it's an online game, send that over the internet, and so that would be perfectly fine as long as that's done while the game is running - so perhaps you're asking whether the game installs some malware that captures keystrokes outside of the game as well.
That would be generally detected by looking for various malware persistence mechanisms, seeing if there's something that's started on startup, possibly in a hidden way; or if there's some process that hides its activity. And if so, then you could check whether it was placed there by that game.
On the other hand, some of the anti-cheat mechanisms are so invasive that they effectively are far more capable than just a keylogger, and the game is quite open about placing them on your machine, e.g. requiring permissions to install it as a privileged driver.