可执行数据的内存转储中的差异

我正在将python中的内存转储与diStorm和易失性进行比较，并尝试分析是否有进程注入时给定的MemoryDumps（“转储”和“真相”）。将进程和变量相互匹配以进行转储以进行比较，但是我安静了许多白噪声（误报）。模块（记事本和calc）：

[10:08:13] Loading  'D:\notepad.zip'
[10:08:36] Loading  'D:\calc.zip'
[10:08:59] No match found for #208 "calc.exe"!
[10:08:59] 01/17    matching "csrss.exe"
[10:09:08] 02/17    matching "VBoxTray.exe"
[10:09:18] 03/17    matching "svchost.exe"
[10:12:51] 04/17    matching "ctfmon.exe"
[10:12:55] 05/17    matching "VBoxService.exe"
[10:13:24] 06/17    matching "smss.exe"
[10:13:25] 07/17    matching "explorer.exe"
[10:14:39] Module difference @ 0x772fb186   "\WINDOWS\system32\shlwapi.dll"
SUB AL, 0x77                    SUB AL, 0x77
POP ESP                         MOV DL, 0x14
DB 0x15                         DB 0xbd
DB 0x2d
[10:14:39] Module difference @ 0x772fb817   "\WINDOWS\system32\shlwapi.dll"
XOR [EAX], EAX                  XOR [EAX], EAX
ADD [EAX], AL                   DB 0x0
DB 0x0                          DB 0xbd
[10:14:39] Module difference @ 0x77fb5e17   "\WINDOWS\system32\ntdll.dll"
ADD [ECX+0x0], AH               ADD [EDI+0x0], CH
INS BYTE [ES:EDI], DX           DB 0x74
[10:14:39] Module difference @ 0x77fb5e1f   "\WINDOWS\system32\ntdll.dll"
ADD [EBP+0x0], AH               ADD [ECX+0x0], AH
DB 0x78                         DB 0x64
[10:14:39] Module difference @ 0x77fb5e27   "\WINDOWS\system32\ntdll.dll"
ADD [EAX], AL                   ADD [EAX+0x0], BH
DB 0x0                          DB 0x65
DB 0x73
[10:14:41] 08/17    matching "spoolsv.exe"
[10:15:24] 10/17    matching "svchost.exe"
[10:15:47] 11/17    matching "msmsgs.exe"
[10:16:06] 12/17    matching "svchost.exe"
[10:16:38] 13/17    matching "svchost.exe"
[10:17:08] 14/17    matching "winlogon.exe"
[10:18:03] 15/17    matching "services.exe"
[10:18:19] 16/17    matching "lsass.exe"
[10:19:15] Module difference @ 0x74414320   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   JO 0x743bffb4
ADD [EAX], AL                   ADC AL, 0xc
ADD [EAX], AL                   OR AL, 0xde
ADD [EAX], AL                   INTO
[10:19:15] Module difference @ 0x74414546   "\WINDOWS\system32\samsrv.dll"
ADD [EAX], AL                   ADD [EAX], AL
ADD [EAX], AL                   DB 0xff
ADD [EAX], AL                   DB 0xff
DB 0x0                          DB 0xff
[10:19:16] Module difference @ 0x76f411bf   "\WINDOWS\system32\wldap32.dll"
ADD [EAX], AL                   ADD AL, CH
DB 0x3e                         JAE 0x76f2000f
DB 0xc
[10:19:17] Module difference @ 0x77cff169   "\WINDOWS\system32\rpcrt4.dll"
DB 0x3                          MOV AL, [0x49ff5965]
DB 0x35
DB 0xa1
IN AL, 0x3a
[10:19:20] 17/17    matching "System"

如果我尝试同时还比较该进程的可执行映像，我会收到更多的噪音

每个转储都在同一Windows XP VM上创建。
关于如何过滤该噪音的任何想法？感谢您提供任何提示，并为我的英语不好对不起。