Paweł Srokosz

Hi! Good catch, thanks for that finding: negated filters introduced some inconsistencies in matching logic. I've tried to rethink the `matches_filters` logic to match the expected semantics and have come...

Thanks for feedback, I'll try to separate non-breaking changes from this PR into another one and implement some safety checks here.

To be continued in https://github.com/CERT-Polska/karton/pull/255

The root of the problem is that socketmon plugin uses old, eager method of usermode function hooking that requires the DLL to be loaded at the time of hook setup....

The log says it can't trap on the WoW64 version of the DLL (32-bit processes on 64-bit Windows). If it doesn't work even if you have running that 32-bit WinSCP...

I have done a small research on this issue. tl;dr: Lots of threads in explorer are pretty short-living and can be terminated in the middle of injection by another thread....

I think there's leftover in the docs from rollbacked Drakvuf upgrade. Currently released Drakvuf Sandbox version is based on Drakvuf 0.8 with backports (https://github.com/CERT-Polska/drakvuf/tree/v0.8-backports) and this version includes Xen in...

If that's complete Docker configuration, you probably lacked volume on `/data`, so Redis database was stored directly in the container which may have been lost during restart. See also: -...

This requires a bit different approach. Main issue is that memoryview holds a pointer to the underlying buffer and need to be **explicitly** released before releasing the main buffer ```...

Added reference tracking of mmap slices in https://github.com/CERT-Polska/malduck/pull/122/commits/ab61f362accaa150aca82dab1040593e037d116f and https://github.com/CERT-Polska/malduck/pull/122/commits/c684022a889e7960572fad2e306cc6538658225b When `MmapMemoryBuffer` is going to be closed and underlying mmap is going to be released, `MMapMemoryBuffer` has weakrefset to all...