AddRef is usually called whenever a client requests the interface, whereas Release is called when the client is done with it instruction occurs or an instruction modifies the static CPU state, which mainly consists of the program counter and some other target CPU specific values that need to be known at compile time In this thesis we combine techniques that have been used throughout the community in the past to create a novel approach to detect a special form of these threats - the so called Malicious Browser Helper Objects gerridaeBy recalling that a translation block does not contain any jumps and thus consists of only successive instructions we perform the above checks on a translation block granularity water striderTo this end we have chosen some system service calls that we deem interesting to monitor One answer to this question is by limiting either the number of target instructions that are translated, or the number of concatenated micro instructions before execution is started gerridae is employed to hide a components implementation