So most of these detection systems rely on identifying hidden windows (via handles, titles, classes), executable signatures/hashes, absurd behavior, or just the typical processes that attach to other processes to try and read/edit memory. You can determine sheer input speed that it's synthetic, but straight up saying 'hey, it's fake', it's kinda hard without profiling the input (looking for odd patterns 'inhuman-like'). I don't believe there are any userland hooks that let you introspect neatly into that, but I can be corrected.
I maintain a personal fork of Autohotkey (syntax changes and functionality not in main branch, because i use php, javascript, c++ daily and not for cheating) and I've heard from other game developers (reports i make) that typically have to deal with these automated inputs (indie mmorpg devs for example), accurately detecting inputs from Autohotkey, in a way that gives you a concrete answer that the input is synthetic and deserves a ban, is somewhat complicated without getting into low level areas like the kernel (similar to what ESEA does) mostly because it has 3 ways to send inputs and 2 of them are very native. That software probably uses driver-level calls to send the inputs, kinda like the logitech one. In this case, if there's a ban, it would be for having Hypershift running, but that would be cut-throat.
