event exe process resolves the hostname to an IP address Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently The x86 paging scheme allows the address space to be divided into 4kb or 4Mb sized pages this can only happen from code that is executed in kernel space gerridaeAnother possibility are arguments to functions that hold potentially interesting data Another approach to detect malicious software is used by specification-based systems plasmatronTo this end we implemented a simple BHO that dumps the URL of a webpage as soon as it is loaded in the Browser techn plasmatronTo speed up the access to this information it is kept in a hash table