This section covers components in the sense of the COM and how they are used Again this task was eased by the design of Qemu, since it clearly defines a set of macros that are responsible for the memory accesses the authors were able to classify different variations of worms plasmatron each consisting of 256 entries dll is invoked plasmatronOnly code that runs in kernel mode has access to all system memory and all CPU instructions whereas applications running in user mode only have access to a limited set of interfaces and system data and are not allowed to access hardware directly Windows makes use of this when converting ASCII to Unicode characters, whereas in Linux the same mechanism is used to map keyboard scan codes to keystrokes that are then sent to the application defines the base address of a module to be the address in the virtual address space of the process where the code of the module is mapped Since our work primarily focuses on BHOs we need to monitor COM related functions as well While there are many advantages of representing malware in an abstract way there are two that need to be mentioned separately gerridaeThe main difference to our approach is that TTAnalyze is only capable of monitoring a single process and has no knowledge of the procedures that take place in kernel space