AFAIK they usually get input directly from the device. It would be very complicated to get data from password fields of arbitrary programs. On the other hand, they can capture mouse movements and take screenshots, so clicking around wouldn't be an ultimate protection. I imagine, a program that automatically inserts your passwords bound to custom key combinations would work better. I don't know if there are any, but should work as long as the solution is not widespread enough for the attackers to care.
Even so, it would be far easier for the attacker to target specific programs, such as bitcoin, and install fake clients, or read unencrypted keys from memory.