In K&R (ANSI) C you find an explanation about this in the following (adapted by me a bit) form:
Quote:
|
Originally Posted by K&R
Before offering CR (Carriage Return) to the Operating System all your keystrokes will be stored in a buffer. Since each key is mapped in ASCII to a hexadecimal code, these values will be stored in the specified buffer before. The reason why it is easy to compare plain values to keystrokes (here it was about buffer['character'-0]). After hitting Enter (Carriage Return), the syscall will be triggered and the OS's kernel will perform it's task on the buffer, fetching the data and executing on it.
|
Something like that :-) So I guess for a keylogger, it will sit in between the Kernel and the Keyboard, grabbing data detected, or at least, hooking up to some specific functions/API that provide keypress data to it. The rest, is left to your imagination to do with this knowledge.
More (Linux topic):
[1] Keyboard generalities - http://www.tldp.org/HOWTO/Keyboard-and-Console-HOWTO-2.html
[2] Interrupt Handlers (Kernel specific) - http://www.tldp.org/LDP/lkmpg/2.4/html/x1210.html