Abstract: In a general aspect, a tracer is configured to instrument an application by injecting at least one interrupt instruction at a function entry point in a memory image of the application such that executable code of the application is not modified. The tracer is configured to collect information relating to execution of the application when the inserted at least one interrupt instruction is triggered during runtime of the application including tracing at least one operating system function used by the application at the function entry point. The tracer is configured to create an application signature based on the collected information. The application signature provides information about at least one system object accessed by the at least one operating system function.