A method, apparatus, and computer readable medium are provided by aspects of the present invention to determine whether a malware is resident on a host computer. In one embodiment, a method determines whether data that is characteristic of malware is loaded in the system memory of a host computer. More specifically, the method includes causing a device communicatively connected to a host computer to issue a request to obtain data loaded in the system memory. Then, when the requested data is received, a determination is made regarding whether the data is characteristic of malware. Since, the method causes data to be obtained directly from system memory without relying on software services on the host computer, malware that employs certain stealth techniques will be identified.