A method includes stalling a call to a critical operating system (OS) function, looking up a value at the previous top of stack, and determining whether the value is equivalent to an address of the critical OS function being called. If the value at the previous top of stack is equivalent to the address of the critical OS function being called, the method further includes taking protective action to protect a computer system.