A method includes hooking a critical operating system function, originating a call to the critical operating system function with a call module of a parent application, stalling the call, determining a location of the call module in memory, and determining whether the location is in an executable area of the memory. Upon a determination that the call module is not in the executable area, the method further includes terminating the call. By terminating the call, execution of a child application that would otherwise allow unauthorized remote access is prevented.