Individuals and organizations often seek to protect their computing resources from attackers and malicious software. To protect their computing resources, these individuals may install and use security software, including anti-malware software. The security software that individuals use to protect their computing resources may work in a variety of ways. For example, security vendors may identify malicious programs and generate digital fingerprints that uniquely identify those programs. At client computing systems, security software agents may generate digital fingerprints for newly encountered software and then compare the new digital fingerprints with the digital fingerprints known to be malicious.
To determine that a software program is malicious, the security vendors may also perform a behavioral analysis of the program's behavior. For example, the security vendors may monitor the actions and instructions that the program performs in a controlled environment on a backend server. More specifically, the security vendors may monitor particular application programming interface calls that the program makes to external operating system resources. Based on an analysis of these calls, the security vendors may more accurately categorize the program as safe or malicious. Nevertheless, as disclosed in the present application, attackers are developing techniques for bypassing the monitoring of application programming interface calls, while still performing malicious functions. For example, the programs may bypass one or more lines at the entry point of the application programming interface call, thereby avoiding hooking and monitoring of the call, as discussed further below. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for monitoring programs.