This issue is in order to track the Drakvuf Sandbox feature extraction.
Currently, we extract only features from the captured winapi and native calls, and that is because most of the common Drakvuf plugins (regmon, filetracer, etc.) use the captured winapi/native calls to extract that information. So extracting that information twice is redundant.
The performance (spatial and temporal) of the extractor could still be improved, and the next steps (as of writing) is to ignore irrelevant Drakvuf output lines (those related with processes other than the malware one), as well as possibly migrating to a faster alternative to Pydantic (perhaps msgspec.Struct) if it turns out that Pydantic is indeed slowing the extractor down.
This issue is in order to track the Drakvuf Sandbox feature extraction.
Currently, we extract only features from the captured winapi and native calls, and that is because most of the common Drakvuf plugins (regmon, filetracer, etc.) use the captured winapi/native calls to extract that information. So extracting that information twice is redundant.
The performance (spatial and temporal) of the extractor could still be improved, and the next steps (as of writing) is to ignore irrelevant Drakvuf output lines (those related with processes other than the malware one), as well as possibly migrating to a faster alternative to Pydantic (perhaps msgspec.Struct) if it turns out that Pydantic is indeed slowing the extractor down.