fix(symbolizer): Lookup live modules

rabbitstack · rabbitstack · commit 6633f98bda63 · 2025-03-29T00:37:19.000+01:00
When the module in process state can't be derived
from the VA, we enumerate the modules via API call
diff --git a/pkg/symbolize/symbolizer.go b/pkg/symbolize/symbolizer.go
@@ -65,6 +65,9 @@ var (
 	// symModulesCount counts the number of loaded module exports
 	symModulesCount = expvar.NewInt("symbolizer.modules.count")
 
+	// symEnumModulesHits counts the number of hits from enumerated modules
+	symEnumModulesHits = expvar.NewInt("symbolizer.enum.modules.hits")
+
 	// debugHelpFallbacks counts how many times we Debug Help API was called
 	// to resolve symbol information since we fail to do this from process
 	// modules and PE export directory data
@@ -462,6 +465,23 @@ func (s *Symbolizer) produceFrame(addr va.Address, e *kevent.Kevent) callstack.F
 		if mod == nil && e.PS.Parent != nil {
 			mod = e.PS.Parent.FindModuleByVa(addr)
 		}
+		if mod == nil {
+			// our last resort is to enumerate process modules
+			modules := sys.EnumProcessModules(e.PID)
+			for _, m := range modules {
+				b := va.Address(m.BaseOfDll)
+				size := uint64(m.SizeOfImage)
+				if addr >= b && addr <= b.Inc(size) {
+					mod = &pstypes.Module{
+						Name:        m.Name,
+						BaseAddress: b,
+						Size:        size,
+					}
+					symEnumModulesHits.Add(1)
+					break
+				}
+			}
+		}
 		if mod != nil {
 			frame.Module = mod.Name
 			frame.ModuleAddress = mod.BaseAddress
diff --git a/pkg/sys/process.go b/pkg/sys/process.go
@@ -117,3 +117,58 @@ func IsWindowsService() bool {
 	isSvc, err := svc.IsWindowsService()
 	return isSvc && err == nil
 }
+
+// ProcessModule describes the process loaded module.
+type ProcessModule struct {
+	windows.ModuleInfo
+	Name string
+}
+
+// EnumProcessModules returns all loaded modules in the process address space.
+func EnumProcessModules(pid uint32) []ProcessModule {
+	n := uint32(1024)
+	mods := make([]windows.Handle, n)
+	proc, err := windows.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, pid)
+	if err != nil {
+		return nil
+	}
+	defer windows.Close(proc)
+	if err := windows.EnumProcessModules(proc, &mods[0], 1024, &n); err != nil {
+		// need bigger buffer
+		if n > 1024 {
+			mods = make([]windows.Handle, n)
+			if err := windows.EnumProcessModules(proc, &mods[0], 1024, &n); err != nil {
+				return nil
+			}
+		}
+		return nil
+	}
+
+	modules := make([]ProcessModule, 0)
+	for _, mod := range mods {
+		if mod == 0 {
+			continue
+		}
+		var moduleInfo windows.ModuleInfo
+		if err := windows.GetModuleInformation(proc, mod, &moduleInfo, uint32(unsafe.Sizeof(moduleInfo))); err != nil {
+			continue
+		}
+		module := ProcessModule{ModuleInfo: moduleInfo}
+		if name, err := getModuleFileName(proc, mod); err == nil {
+			module.Name = name
+		}
+		modules = append(modules, module)
+	}
+
+	return modules
+}
+
+func getModuleFileName(proc, mod windows.Handle) (string, error) {
+	n := uint32(1024)
+	buf := make([]uint16, n)
+	err := windows.GetModuleFileNameEx(proc, mod, &buf[0], n)
+	if err != nil {
+		return "", err
+	}
+	return windows.UTF16ToString(buf), nil
+}
