Runtime software modification is mostly in negative proposes for software piracy or software attack. Runtime software modification can be introduced in many ways. Software parasites are some effective way of this modification method. We propose a method called “Restricted System calls Detecting” for detecting the modification caused by software parasite. We select group of system calls that can lead to the Runtime software modification which are called “Restricted system calls”. We categorize the Restricted system calls into three groups, Other process modification system calls, Self-modification system calls and Encouraged modification system calls. We evaluate the software parasite attack by finding the pattern of Restricted system calls calling of running software. Our proposed method can detect the software modification caused by software parasite with high speed and accuracy that we conclude the good result in data analysis section.