Conventionally, in order to detect, on a computer system, unauthorized invasion by an attacker or operation of a malicious program, a host type invasion detecting method of detecting suspicious operations from behavior of the system has been proposed (for example, see Non-Patent Literature 1).
As a method of monitoring operations of an application on a system, a method of monitoring application programming interface (API) calls has been performed. This API is a function realizing abstraction of various system calls. For example, an application is able to perform, through an API, file input and output, communication control, and the like, in a simplified manner, without being directly conscious of hardware. By monitoring such API calls, log information on a type of the API, what kinds of arguments have been input, and the like is able to be acquired, and as a result, a series of operations of the application are able to be monitored.
Further, as a method of acquiring such log information, API hooking for causing log information to be acquired by performing transition of a control flow in the midst of an API call or of execution of the API has been used. For example, as a method of acquiring log information by API hooking, a method of inserting a jump instruction or call instruction into a head instruction of each API, causing transition of a processing flow to another instruction string, acquiring log information, and returning the processing flow to the original API has been known.