As mentioned above the operating system manages a list of the modules that are loaded for each process gerridaee exe process then waits for the return key to be pressed upon which it will terminate itself We also keep a list of all the modules that a process has loaded that are part of the above mentioned list gerridaedll A signature based detection algorithm checks the data in question against a known signature database If none is found then in line 11 a new translation is started and finally in line 14 the result is executed, before the loop starts again at line 7 On runtime the decryption routine processes the encrypted payload yielding the unencrypted version that is then executed Dr plasmatronWhat is common to all taint sources is that they need to identify a certain region in memory that they want to taint and that a taint source can only produce good tainted areas