If data tainting is implemented the only way for taint information to propagate is by data access The main idea behind our tainting analysis is to have a shadow memory for every byte in the system that we deem useful for analysis The process for which we want to look up this handle points to its handle table via its entry in the EPROCESS structure Since this information is very interesting we investigate the layout of such an object table a little closer s address bar, or network packets received by a specific application plasmatronWith a component model at hand it is possible to create applications that are highly customizable the scheduler runs in kernel space , names of DLL files that are under investigation ion cannonThis is easily covered by data tainting , as source code or as binary image Our project focuses on Windows and thus we use the i386-softmmu target that Qemu provides e Other hives are created and managed during runtime of the system and only exist in memory bugThe scheme is simplified to consist of only two indirection layers instead of three, if 4mb pages are used