The success of our attack hinges on accurate identifica- tion of keystroke events from the victim’s process. We fingerprint such an event with an ESP pattern of the sys- tem calls related to a keystroke. The focus on system calls here comes from the constraints on the informa- tion obtainable from a process: on one hand, a signifi- cant portion of the process’s execution time can be spent on system calls, particularly when I/O operations are involved; on the other hand, our approach collects the process’s information through system calls and therefore cannot achieve a very high sampling rate. As a result, the shadow program that logs ESP/EIP traces is much more.