Systems and methods that detect presence of malicious software while comparing address mappings in multiple table look-aside buffers are provided. Address mappings in an instruction table look-aside buffer (ITLB) and a data table look-aside buffer (DTLB) may be scanned with each address mapping including a mapping between a virtual page in a virtual memory and a frame in a physical memory of a computing device. A discrepancy between an address mapping in the ITLB and an address mapping in the DTLB can be identified. Based on the discrepancy, a process associated with the mapping may then be identified as a malicious process.