is a function that always produces a constant output regardless of its input system service is invoked the parameters are evaluated The Threadlist Head member of the KPROCESS structure points to a doubly linked list that consists of all KTHREAD objects that belong to this process They provide a means for user mode applications to make the kernel take certain actions on their behalf, if the request conforms to a precisely defined interface is able to detect if sequential reads on tainted memory are performed and upon a reaching a configurable threshold reports this to the log aswell plasmatron Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently Even if the signatures are up-to-date, signature based detection techniques usually suffer from the inability to detect novel and unknown threats Windows uses both of these modes, while 4kb pages are used for user mode applications the 4Mb sized pages are utilized throughout the operating system core For each interface that is successfully requested from such a component we register hooks for their QueryInterface methods This knowledge is then tested against the policy and it is decided whether the application is malicious or benign gerridaeThis is possible because we discovered a more recent version of the spyware for which no signatures exist yet In doing so new problems arise and the authors are not aware of any working implementation that performs control flow tainting correctly Details on some of these functions are given below, but there are similarities that all callbacks have in common plasmatron lists the system services we monitor along with a short description of their purpose