Simulating user interactions for malware analysis

What is claimed is: 1. A system, comprising: a processor configured to: receive a sample for analysis; generate, prior to execution of the sample, a baseline screenshot of a desktop by accessing frame buffer data stored on a graphics card; cause the sample to execute, at least in part, by using one or more hypervisor instructions to move a pointing device to an icon associated with the sample; and generate a current screenshot of the desktop by accessing current frame buffer data stored on the graphics card; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 , wherein the processor is further configured to compare the current screenshot to the baseline screenshot. 3. The system of claim 2 , wherein comparing the current screenshot to the baseline screenshot includes normalizing the current and baseline screenshots. 4. The system of claim 2 , wherein comparing the current screenshot to the baseline screenshot includes determining a structural similarity index. 5. The system of claim 2 , wherein the processor is further configured to take an action in response to a comparison result. 6. The system of claim 5 , wherein the action includes performing optical character recognition on the current screenshot. 7. The system of claim 6 , wherein the processor is further configured to take a further action based on a result of the optical character recognition. 8. The system of claim 5 , wherein the action includes moving the pointing device to a pixel location identified as being within a region of the desktop whose content changed between the baseline screenshot and the current screenshot. 9. The system of claim 1 , wherein the processor is further configured to determine whether any predetermined artifacts are present in the baseline screenshot. 10. The system of claim 9 , wherein the processor is configured to determine whether the predetermined artifacts are present at least in part by performing image recognition on the baseline screenshot. 11. The system of claim 9 , wherein the processor is configured to return coordinates of any of the predetermined artifacts determined to be present in the baseline screenshot. 12. The system of claim 1 , wherein the processor is further configured to generate a subsequent screenshot of the desktop and compare the subsequent screenshot to at least one of the baseline screenshot and the current screenshot. 13. A method, comprising: receiving a sample for analysis; generating, prior to execution of the sample, a baseline screenshot of a desktop by accessing frame buffer data stored on a graphics card; causing the sample to execute, at least in part by using one or more hypervisor instructions to move a pointing device to an icon associated with the sample; and generating a current screenshot of the desktop by accessing current frame buffer data stored on the graphics card. 14. The method of claim 13 , further comprising comparing the current screenshot to the baseline screenshot. 15. The method of claim 14 , wherein comparing the current screenshot to the baseline screenshot includes determining a structural similarity index. 16. The method of claim 14 , further comprising taking an action in response to a comparison result. 17. The method of claim 16 , wherein the action includes moving the pointing device to a pixel location identified as being within a region of the desktop whose content changed between the baseline screenshot and the current screenshot. 18. The method of claim 13 , further comprising determining whether any predetermined artifacts are present in the baseline screenshot. 19. The method of claim 18 , further comprising returning coordinates of any of the predetermined artifacts determined to be present in the baseline screenshot. 20. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving a sample for analysis; generating, prior to execution of the sample, a baseline screenshot of a desktop by accessing frame buffer data stored on a graphics card; causing the sample to execute, at least in part, by using one or more hypervisor instructions to move a pointing device to an icon associated with the sample; and generating a current screenshot of the desktop by accessing current frame buffer data stored on the graphics card. 21. The method of claim 14 , wherein comparing the current screenshot to the baseline screenshot includes normalizing the current and baseline screenshots. 22. The method of claim 16 , wherein the action includes performing optical character recognition on the current screenshot. 23. The method of claim 22 , further comprising taking a further action based on a result of the optical character recognition. 24. The method of method 18 , wherein determining whether the predetermined artifacts are present is based at least in part by performing image recognition on the baseline screenshot. 25. The method of claim 13 , further comprising generating a subsequent screenshot of the desktop and comparing the subsequent screenshot to at least one of the baseline screenshot and the current screenshot.