According to an embodiment of the invention a method of detecting malware in a system comprises positioning a filter driver between an operating system for the system and applications or files in the system. The filter driver receives requests for resources from the applications or files and relays the requests to the operating system. The filter driver receives responses to the requests, which include handles; records information associated with the handles in a handle list; and relays the responses to the applications or files, which open the handles. Potential malicious code is detected by analyzing information associated with the open handles. In particular embodiments, analyzing information associated with the open handles may comprise analyzing system resources referenced by the open handles.