Could a kernel driver be used?
This idea is still very theoretical; I'm in the process of doing the actual research to see if there's anything worth pursuing.
That said, couldn't the guts of the keysniffer be written as an NT kernel driver? You would have to be sure that the identifier associated with the driver (its 'name') was something obscure/misleading, just like all the other keysniffers. Once installed, the driver would wait for eqgame to become an active process. Once eqgame was active, a kernel equivalent of MapViewOfFile could be used to get the entire footprint of eqgame into kernel space. An IOCTL to the driver from user space would return the same information that all these user mode keysniffers are returning but without ever touching the eqgame executable (other than the first copy).
I don't think a keysniffer using a method like this is going to be identified as quickly as others. Then again, this method may not even be possible. Like I said, this is very theoretical. NT driver land is not somewhere I have spent a lot of time in. And asking people to install the Windows DDK to be able to compile the source might be asking too much.
Undetectability, sorry no.
Sorry Folks.
As EQ likes to run with administrator privileges they could just intercept ReadProcessMemory and catch everyone looking some particular address (like 0x00773b90) at some particular process id. It's much more difficult to do this at XP & 2000 but it's doable and as Ratt said their programmers are not dumb.
Your ring 0 kernel driver need to call this routine to lookup the memory, so it would be detectable.
You will probably need to mimic the sniffer to behave like another program (like memory optimizers, they are legal :D ), they look at big chunks to do the reorder. And on that big chunk you could do the lookup inside.
As is discussed in another thread, undetectability is impossible.