V3 pushed: Notes: - changed strategy for filtering, esp. on unload events. When these are received from NtWaitForDebugEvent(), the DLL is already unmapped (so not readable from memory, image mapping is no longer present), and no file handle to peruse the machine information. As the unload event are not generated when process terminates, the wow*.dll unload events are hence not generated. So we should be safe here. But I didn't test further on windows by injecting and unloading a 64dll inside a wow64 process to see what happens. I kept anyway the filter on addresses above 4G which will never hurt. I didn't find any docs if windows loads all its 64bit DLLs in a wow64 process above 4G (event if it's what testing shows). So I'm not 100% confident on the filtering of all the unload events. - extended tests to have a graceful exit of child process to test the tear-down part as well