Reading the API definition of SetWindowsHookEx, I see
Calling the CallNextHookEx function to chain to the next hook procedure is optional, but it is highly recommended; otherwise, other applications that have installed hooks will not receive hook notifications and may behave incorrectly as a result. You should call CallNextHookEx unless you absolutely need to prevent the notification from being seen by other applications.
So a password manager could simply register a hook, not call CallNextHookEx, then type the password and unregister the hook to restore the original behavior.
This technique is not listed in the answer to How easily are keyloggers foiled? or Methods of mitigating threats from keyloggers, so I wonder whether I am missing something obvious.