Only code that runs in kernel mode has access to all system memory and all CPU instructions whereas applications running in user mode only have access to a limited set of interfaces and system data and are not allowed to access hardware directly Qemu has two different modes of operation, either it is run in full system emulation mode or in Linux specific user space emulation We believe that behavior-based approaches are capable of overcoming this drawback water striderCertain parameters that affect the analysis can be modified as well from the monitor interface Usually only the operating system core has direct access to the objects while applications need to obtain a handle to the desired object first and use that handle for any further interaction with the object gerridaedll is by setting up the stack appropriately and calling the system services by themselves Literature provides different approaches to implement an observation technique, and we used a modified version of hooking to do so With this knowledge we can summarize the emulation of a target system as a loop of translating the basic block starting at the current position of the instruction pointer, execute the translated code and start all over again CPU, hard drive, physical memory and a graphics card are only examples Qemu provides several different possibilities to connect the emulated target to a network gerridaeAs soon as everything is in place the system service can start execution and perform whatever action it is designed to do