might produce tainted values in the shadow memory This section focuses on the details of our dynamic analysis and how we combine it with the taint information the system manages At its core Qemu is a full featured machine emulator supporting a variety of host and target system combinations This address resolution happens in the CPU and is, due to the two lookup tables quite expensive This list usually contains of at least the name of the DLL that hosts the BHO component that is analyzed gerridae Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently It is the responsibility of the virtual memory manager to keep track of these mappings and to enforce the different protection settings such as that one process cannot access the memory regions of another process, or protect pages completely against write access if they are mapped read only A tool to for analyzing malware Now that the structure of the Windows registry is revealed the next step is to examine the values that are stored in the registry a little closer plasmatron event gerridaeWhen examining the tainted memory regions several copies of the hostname in different character encodings were present all over the memory