Literature provides different approaches to implement an observation technique, and we used a modified version of hooking to do so structure As one can see from the structure the first member of an ETHREAD is a KTHREAD As in every descent operating system the Windows virtual memory manager supports the concept of shared memory The MMU emulated by Qemu supports four different data sizes for memory accesses plasmatronBesides the similarities of these approaches our technique in addition uses a combination of dynamic analysis and taint analysis that unifies the advantages these approaches bear with them plasmatron Qemu, at least on a x86 host, provides two different implementations of the MMU plasmatron API