rabbitstack · rabbitstack · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
diff --git a/internal/etw/processors/chain_windows.go b/internal/etw/processors/chain_windows.go
@@ -43,15 +43,14 @@ func NewChain(
 			psnapshotter: psnap,
 			processors:   make([]Processor, 0),
 		}
-		devMapper       = fs.NewDevMapper()
-		devPathResolver = fs.NewDevPathResolver()
-		vaRegionProber  = va.NewRegionProber()
+		devMapper      = fs.NewDevMapper()
+		vaRegionProber = va.NewRegionProber()
 	)
 
 	chain.addProcessor(newPsProcessor(psnap, vaRegionProber))
 
 	if config.EventSource.EnableFileIOEvents {
-		chain.addProcessor(newFsProcessor(hsnap, psnap, devMapper, devPathResolver, config))
+		chain.addProcessor(newFsProcessor(hsnap, psnap, devMapper, config))
 	}
 	if config.EventSource.EnableRegistryEvents {
 		chain.addProcessor(newRegistryProcessor(hsnap))
@@ -63,7 +62,7 @@ func NewChain(
 		chain.addProcessor(newNetProcessor())
 	}
 	if config.EventSource.EnableHandleEvents {
-		chain.addProcessor(newHandleProcessor(hsnap, psnap, devMapper, devPathResolver))
+		chain.addProcessor(newHandleProcessor(hsnap, psnap, devMapper))
 	}
 	if config.EventSource.EnableMemEvents {
 		chain.addProcessor(newMemProcessor(psnap, vaRegionProber))

diff --git a/internal/etw/processors/fs_windows.go b/internal/etw/processors/fs_windows.go
@@ -56,9 +56,8 @@ type fsProcessor struct {
 	// irps contains a mapping between the IRP (I/O request packet) and CreateFile events
 	irps map[uint64]*event.Event
 
-	devMapper       fs.DevMapper
-	devPathResolver fs.DevPathResolver
-	config          *config.Config
+	devMapper fs.DevMapper
+	config    *config.Config
 
 	// buckets stores stack walk events per stack id
 	buckets map[uint64][]*event.Event
@@ -80,21 +79,19 @@ func newFsProcessor(
 	hsnap handle.Snapshotter,
 	psnap ps.Snapshotter,
 	devMapper fs.DevMapper,
-	devPathResolver fs.DevPathResolver,
 	config *config.Config,
 ) Processor {
 	f := &fsProcessor{
-		files:           make(map[uint64]*FileInfo),
-		irps:            make(map[uint64]*event.Event),
-		hsnap:           hsnap,
-		psnap:           psnap,
-		devMapper:       devMapper,
-		devPathResolver: devPathResolver,
-		config:          config,
-		buckets:         make(map[uint64][]*event.Event),
-		purger:          time.NewTicker(time.Second * 5),
-		quit:            make(chan struct{}, 1),
-		lim:             rate.NewLimiter(30, 40), // allow 30 parse ops per second or bursts of 40 ops
+		files:     make(map[uint64]*FileInfo),
+		irps:      make(map[uint64]*event.Event),
+		hsnap:     hsnap,
+		psnap:     psnap,
+		devMapper: devMapper,
+		config:    config,
+		buckets:   make(map[uint64][]*event.Event),
+		purger:    time.NewTicker(time.Second * 5),
+		quit:      make(chan struct{}, 1),
+		lim:       rate.NewLimiter(30, 40), // allow 30 parse ops per second or bursts of 40 ops
 	}
 
 	go f.purge()
@@ -207,10 +204,6 @@ func (f *fsProcessor) processEvent(e *event.Event) (*event.Event, error) {
 			f.files[fileObject] = fileinfo
 		}
 
-		if f.config.EventSource.EnableHandleEvents {
-			f.devPathResolver.AddPath(ev.GetParamAsString(params.FilePath))
-		}
-
 		ev.AppendParam(params.NTStatus, params.Status, status)
 		if fileinfo.Type != fs.Unknown {
 			ev.AppendEnum(params.FileType, uint32(fileinfo.Type), fs.FileTypes)

diff --git a/internal/etw/processors/fs_windows_test.go b/internal/etw/processors/fs_windows_test.go
@@ -306,7 +306,7 @@ func TestFsProcessor(t *testing.T) {
 					{File: "C:\\Windows\\System32\\kernel32.dll", BaseAddress: va.Address(0xffff23433), Size: 3098},
 				},
 			})
-			p := newFsProcessor(hsnap, psnap, fs.NewDevMapper(), fs.NewDevPathResolver(), &config.Config{})
+			p := newFsProcessor(hsnap, psnap, fs.NewDevMapper(), &config.Config{})
 			if tt.setupProcessor != nil {
 				tt.setupProcessor(p)
 			}

diff --git a/internal/etw/processors/handle_windows.go b/internal/etw/processors/handle_windows.go
@@ -19,8 +19,6 @@
 package processors
 
 import (
-	"strings"
-
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/fs"
@@ -30,23 +28,20 @@ import (
 )
 
 type handleProcessor struct {
-	hsnap           handle.Snapshotter
-	psnap           ps.Snapshotter
-	devMapper       fs.DevMapper
-	devPathResolver fs.DevPathResolver
+	hsnap     handle.Snapshotter
+	psnap     ps.Snapshotter
+	devMapper fs.DevMapper
 }
 
 func newHandleProcessor(
 	hsnap handle.Snapshotter,
 	psnap ps.Snapshotter,
 	devMapper fs.DevMapper,
-	devPathResolver fs.DevPathResolver,
 ) Processor {
 	return &handleProcessor{
-		hsnap:           hsnap,
-		psnap:           psnap,
-		devMapper:       devMapper,
-		devPathResolver: devPathResolver,
+		hsnap:     hsnap,
+		psnap:     psnap,
+		devMapper: devMapper,
 	}
 }
 
@@ -86,14 +81,6 @@ func (h *handleProcessor) processEvent(e *event.Event) (*event.Event, error) {
 			}
 		case handle.File:
 			name = h.devMapper.Convert(name)
-		case handle.Driver:
-			driverName := strings.TrimPrefix(name, "\\Driver\\") + ".sys"
-			driverPath := h.devPathResolver.GetPath(driverName)
-			if driverPath == "" {
-				driverPath = driverName
-			}
-			h.devPathResolver.RemovePath(driverName)
-			e.Params.Append(params.ModulePath, params.Path, driverPath)
 		}
 		// assign the formatted handle name
 		if err := e.Params.SetValue(params.HandleObjectName, name); err != nil {

diff --git a/internal/etw/processors/handle_windows_test.go b/internal/etw/processors/handle_windows_test.go
@@ -19,6 +19,8 @@
 package processors
 
 import (
+	"testing"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/fs"
@@ -27,7 +29,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
-	"testing"
 )
 
 func TestHandleProcessor(t *testing.T) {
@@ -92,7 +93,7 @@ func TestHandleProcessor(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			hsnap := tt.hsnap()
 			psnap := new(ps.SnapshotterMock)
-			p := newHandleProcessor(hsnap, psnap, fs.NewDevMapper(), fs.NewDevPathResolver())
+			p := newHandleProcessor(hsnap, psnap, fs.NewDevMapper())
 			var err error
 			tt.e, _, err = p.ProcessEvent(tt.e)
 			require.NoError(t, err)

diff --git a/pkg/callstack/colorize.go b/pkg/callstack/colorize.go
@@ -77,7 +77,7 @@ func (s Callstack) Colorize() string {
 
 		// frames in kernel range with no resolved symbol are unresolved so
 		// we can collapse them into a counter
-		if f.Addr.InSystemRange() && (f.Symbol == "" || f.Symbol == "?") {
+		if f.Addr.InSystemRange() && ((f.Symbol == "" || f.Symbol == "?") && f.Module == "") {
 			unresolved++
 			continue
 		}

diff --git a/pkg/fs/driver.go b/pkg/fs/driver.go
diff --git a/pkg/symbolize/driver.go b/pkg/symbolize/driver.go
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2021-present by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package symbolize
+
+import (
+	"sync"
+
+	"github.com/rabbitstack/fibratus/pkg/sys"
+	"github.com/rabbitstack/fibratus/pkg/util/va"
+)
+
+type driverStore struct {
+	devs []sys.Driver
+	// drivers maps resolved kernel addresses to the driver objects
+	drivers map[va.Address]*sys.Driver
+	mux     sync.RWMutex
+}
+
+func initDriverStore() *driverStore {
+	return &driverStore{
+		devs:    sys.EnumDevices(),
+		drivers: make(map[va.Address]*sys.Driver),
+	}
+}
+
+// resolve maps a kernel return address to a driver.
+// If the kernel address is already resolved, then
+// then the driver object is recovered from the cache.
+// Returns nil if no module contains the address.
+func (d *driverStore) resolve(addr va.Address) *sys.Driver {
+	// driver already cached?
+	d.mux.RLock()
+	dev, isCached := d.drivers[addr]
+	d.mux.RUnlock()
+	if isCached {
+		return dev
+	}
+
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	for i := range d.devs {
+		dev := &d.devs[i]
+		base := va.Address(dev.Base)
+		if addr >= base && addr < base.Inc(uint64(dev.Size)) {
+			d.drivers[addr] = dev
+			return dev
+		}
+	}
+
+	return nil
+}
+
+func (d *driverStore) addDriver(base va.Address, size uint64, path string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	dev := sys.Driver{
+		Path: path,
+		Base: base.Uintptr(),
+		Size: uint32(size),
+	}
+	d.devs = append(d.devs, dev)
+}
+
+func (d *driverStore) removeDriver(base va.Address, size uint64) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	for i, dev := range d.devs {
+		if dev.Base == base.Uintptr() {
+			d.devs = append(d.devs[:i], d.devs[i+1:]...)
+			break
+		}
+	}
+
+	for addr := range d.drivers {
+		if addr >= base && addr < base.Inc(size) {
+			delete(d.drivers, addr)
+		}
+	}
+}