On start up of a process, a critical imported functions table including
resolved addresses of critical imported functions that an application,
such as a host intrusion detection system application depends upon to
have data integrity, is dynamically allocated and marked read only to
impede modification by malicious code. The critical imported functions
are hooked so that execution of a call to a critical imported function is
made using a corresponding entry in the critical imported functions table
rather than an entry in a current process IAT, which may have been
modified by malicious code. The current process IAT is evaluated to
determine whether it has changed from an initial start up state, in a way
that is indicative of an evasion attempt by malicious code. If an evasion
attempt is detected, a notification is provided to a user and/or system
administrator. Optionally, protective action is taken, such as saving a
copy of the current process IAT to permit later analysis of the change.