[JamesNay]

It's basically a lost cause: for whatever approach you take, the enemy piece of software will always be one ring below you - completely safe from your memory access.

In academics there is nothing really interesting about key loggers specifically. It's just a software, that reads memory.

You could whitelist processes, but the attacker will patch itself into whitelisted programs at runtime and run under their hood - low level kernel operations are the things, that an attacker ignores, when she already is a kernel module or sits in your ME. That's why Antivirus solutions are basically useless against a skilled attacker.