Systems and methods for managing pestware processes on a protected
computer are described. In one implementation, a reference point in the
executable memory that is associated with a process running in the
executable memory is located. A first and second sets of information from
corresponding first and second portions of the executable memory are then
retrieved. The first and second portions of the executable memory are
separated by a defined offset, and each of the first and second portions
of the executable memory are offset from the reference point. The process
is identifiable as a particular type of pestware when the first and
second sets of information each include information previously found to
be separated by the defined offset in other processes that are of the
particular type of pestware. In some variations, the reference point is a
starting address and/or an API implementation in the process.