By creating component libraries a software vendor can use the same components for many different applications and has to manage only one instance of the library In this sense our approach is comparable to the one implemented by Strider Gatekeeper as our goal is to model spyware-like behavior focuses on detecting network attacks, and automatically generate signatures for the detected attacks Only code that runs in kernel mode has access to all system memory and all CPU instructions whereas applications running in user mode only have access to a limited set of interfaces and system data and are not allowed to access hardware directly gerridaeThese APIs then call the native APIs when needed to perform the requested actions What complicates the evaluation of this condition is the fact that usually in a Windows NT operating system environment there is more then just one process present As we have seen in the previous section for a component model to work correctly the components have to adhere to reliable and stable interfaces ion source Like the TEB for threads the process environment block holds information about a process that needs to be accessed frequently ion cannonThe actual write takes place in line 13