API illustrates this with an example By analyzing this behavior we try to decide whether the subject imposes a risk to a user or not gerridae callback, on successfull execution of the function checks the ModuleInfoList to retrieve the amount of memory the module occupies in the virtual address space of the process The main difference between hooking calls to system services and functions in COM components lies in the fact that the function pointers of a COM interface cannot be determined a-priori How this taint information is propagated throughout the system is defined in the propagation policy Thus it is sufficient for the algorithm to check for the occurence of a thread switch after each transition out of kernel space - and remember the current thread until the next time such a transition takes place water striderSince no two processes can share a page directory this value is unique for each process at any given time For instance the numbers of polymorphic malware that is distributed is continuously rising As taint sensitive sink we label certain parts of the system that respond if they receive tainted data presents a simplified graphical overview of the Windows NT architecture Now that the system knows what service is requested it backs up the CPU context of the process and starts moving the parameters, pointed to by the EBX register, onto the kernel mode stack water strider and loads the COM servers whose CLSIDs are listed in its subtrees into the process