That would not work effectively at the processor level, as OS API commands translate into many many consecutive processor instructions. You would have to have a list of OS API commands and their translated processor opcode instructions. You would then have to read directly from the processors registers/BUS the opcode of the instruction being executed and pattern match a consecutive string of opcodes against your stored list. This also does not take into account that most modern day processors are pipelined, which would me you would have to account for NOP buffers/fillers and smashing the pipe. Good thought, but not a practical idea.