feat: Stack enrichment (#217)

Author: rabbitstack

configs/fibratus.yml

@@ -192,6 +192,9 @@ kstream:
   # Determines whether DNS client events are collected
   #enable-dns: true
 
+  # Indicates if stack enrichment is enabled for eligible events
+  #stack-enrichment: true
+
   # Determines which events are dropped either by the event name or the process' image
   # name that triggered the event.
   blacklist:
@@ -463,6 +466,13 @@ pe:
   # consulted for computing section hashes, calculating the entropy, and so on
   #read-sections: false
 
+# Designates the path or a series of paths separated by a semicolon that is used to search
+# for symbols files
+# symbol-paths: srv*c:\\SymCache*https://msdl.microsoft.com/download/symbols
+
+# Determines if kernel stack addresses are symbolized
+# symbolize-kernel-addresses: false
+
 # =============================== Transformers =========================================
 
 # Transformers are responsible for augmenting, parsing or enriching kernel events.

go.mod

@@ -6,6 +6,8 @@ require (
 	github.com/antchfx/htmlquery v1.2.5
 	github.com/briandowns/spinner v1.12.0
 	github.com/dustin/go-humanize v1.0.0
+	github.com/enescakir/emoji v1.0.0
+	github.com/gammazero/deque v0.2.1
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
 	github.com/hashicorp/go-version v1.2.1
 	github.com/hillu/go-yara/v4 v4.2.4
@@ -39,7 +41,6 @@ require (
 )
 
 require (
-	github.com/enescakir/emoji v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 )

go.sum

@@ -11,8 +11,11 @@ github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+q
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/assert v1.0.0 h1:3XmGh/PSuLzDbK3W2gUbRXwgW5lqPkuqvRgeQ30FI5o=
+github.com/alecthomas/assert v1.0.0/go.mod h1:va/d2JC+M7F6s+80kl/R3G7FUiW6JzUO+hPhLyJ36ZY=
 github.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk=
+github.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0=
 github.com/alecthomas/repr v0.1.1 h1:87P60cSmareLAxMc4Hro0r2RBY4ROm0dYwkJNpS4pPs=
+github.com/alecthomas/repr v0.1.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/antchfx/htmlquery v1.2.5 h1:1lXnx46/1wtv1E/kzmH8vrfMuUKYgkdDBA9pIdMJnk4=
@@ -51,6 +54,8 @@ github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
+github.com/gammazero/deque v0.2.1 h1:qSdsbG6pgp6nL7A0+K/B7s12mcCY/5l5SIUpMOl+dC0=
+github.com/gammazero/deque v0.2.1/go.mod h1:LFroj8x4cMYCukHJDbxFCkT+r9AndaJnFMuZDV34tuU=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -108,6 +113,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -171,7 +177,9 @@ github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUz
 github.com/saferwall/pe v1.4.4 h1:Ml++7/2/Z1iKwV4zCsd1nIqTEAdUQKAetwbbcCarhOg=
 github.com/saferwall/pe v1.4.4/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s=
 github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc=
+github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -328,6 +336,7 @@ gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
 gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=

internal/bootstrap/bootstrap.go

@@ -31,6 +31,7 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/kcap"
 	"github.com/rabbitstack/fibratus/pkg/kstream"
 	"github.com/rabbitstack/fibratus/pkg/ps"
+	"github.com/rabbitstack/fibratus/pkg/symbolize"
 	"github.com/rabbitstack/fibratus/pkg/sys"
 	"github.com/rabbitstack/fibratus/pkg/util/multierror"
 	"github.com/rabbitstack/fibratus/pkg/util/signals"
@@ -49,6 +50,7 @@ var ErrAlreadyRunning = errors.New("an instance of Fibratus process is already r
 type App struct {
 	config     *config.Config
 	controller *kstream.Controller
+	symbolizer *symbolize.Symbolizer
 	hsnap      handle.Snapshotter
 	psnap      ps.Snapshotter
 	consumer   kstream.Consumer
@@ -220,8 +222,14 @@ func (f *App) Run(args []string) error {
 			}
 		}()
 	} else {
-		// register event listeners
+		// register stack symbolizer
+		if cfg.Kstream.StackEnrichment {
+			f.symbolizer = symbolize.NewSymbolizer(symbolize.NewDebugHelpResolver(cfg), cfg, false)
+			f.consumer.RegisterEventListener(f.symbolizer)
+		}
+		// register rule engine
 		f.consumer.RegisterEventListener(rules)
+		// register YARA scanner
 		if cfg.Yara.Enabled {
 			scanner, err := yara.NewScanner(f.psnap, cfg.Yara)
 			if err != nil {
@@ -364,6 +372,9 @@ func (f *App) Shutdown() error {
 			errs = append(errs, err)
 		}
 	}
+	if f.symbolizer != nil {
+		f.symbolizer.Close()
+	}
 	if f.consumer != nil {
 		if err := f.consumer.Close(); err != nil {
 			errs = append(errs, err)

pkg/alertsender/renderer/renderer_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
 	pex "github.com/rabbitstack/fibratus/pkg/pe"
 	pstypes "github.com/rabbitstack/fibratus/pkg/ps/types"
+	"github.com/rabbitstack/fibratus/pkg/util/va"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
@@ -91,8 +92,8 @@ func TestHTMLFormatterRuleAlert(t *testing.T) {
 					SessionID: 4,
 					Envs:      map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit", "Path": "C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Git\\cmd;C:\\msys64\\mingw64\\bin;C:\\WINDOWS\\System32\\OpenSSH\\;C:\\Program Files (x86)\\Windows Kits\\10\\Windows Performance Toolkit\\;C:\\Program Files\\nodejs\\;C:\\rubyinstaller-2.5.7-1-x64\\bin;C:\\Program Files (x86)\\WiX Toolset v3.11\\bin;C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit;C:\\Program Files (x86)\\Graphviz2.38\\bin;C:\\Program Files (x86)\\NSIS\\Bin;C:\\Program Files\\Jdk11\\bin;C:\\Python310;C:\\msys64\\usr\\bin;C:\\Program Files\\dotnet\\;C:\\Program Files\\Go\\bin;C:\\Program Files\\Fibratus\\Bin;C:\\Program Files\\AutoFirma\\AutoFirma;C:\\Users\\nedo\\AppData\\Local\\Programs\\Python\\Launcher\\;C:\\Scripts\\;C:\\;C:\\Users\\nedo\\AppData\\Local\\Programs\\Microsoft VS Code\\bin;C:\\Users\\nedo\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\nedo\\AppData\\Roaming\\npm;C:\\Users\\nedo\\AppData\\Local\\Programs\\oh-my-posh\\bin;C:\\Users\\nedo\\go\\bin"},
 					Threads: map[uint32]pstypes.Thread{
-						3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)},
-						3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)},
+						3453: {Tid: 3453, Entrypoint: va.Address(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: va.Address(18446677035730165760), KstackLimit: va.Address(18446677035730137088), UstackLimit: va.Address(86376448), UstackBase: va.Address(86372352)},
+						3455: {Tid: 3455, Entrypoint: va.Address(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: va.Address(18446677035730165760), KstackLimit: va.Address(18446677035730137088), UstackLimit: va.Address(86376448), UstackBase: va.Address(86372352)},
 					},
 					Modules: []pstypes.Module{
 						{Name: "C:\\Windows\\System32\\kernel32.dll", Size: 1233405456},
@@ -185,8 +186,8 @@ func TestHTMLFormatterRuleAlert(t *testing.T) {
 					SessionID: 4,
 					Envs:      map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"},
 					Threads: map[uint32]pstypes.Thread{
-						3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)},
-						3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)},
+						3453: {Tid: 3453, Entrypoint: va.Address(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: va.Address(18446677035730165760), KstackLimit: va.Address(18446677035730137088), UstackLimit: va.Address(86376448), UstackBase: va.Address(86372352)},
+						3455: {Tid: 3455, Entrypoint: va.Address(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: va.Address(18446677035730165760), KstackLimit: va.Address(18446677035730137088), UstackLimit: va.Address(86376448), UstackBase: va.Address(86372352)},
 					},
 					Modules: []pstypes.Module{
 						{Name: "C:\\Windows\\System32\\kernel32.dll", Size: 1233405456},

pkg/config/config_windows.go

@@ -21,6 +21,7 @@ package config
 import (
 	"encoding/json"
 	"fmt"
+	"golang.org/x/sys/windows"
 	"time"
 
 	"github.com/rabbitstack/fibratus/pkg/outputs/eventlog"
@@ -59,11 +60,13 @@ import (
 )
 
 const (
-	kcapFile           = "kcap.file"
-	configFile         = "config-file"
-	debugPrivilege     = "debug-privilege"
-	initHandleSnapshot = "handle.init-snapshot"
-	enumerateHandles   = "handle.enumerate-handles"
+	kcapFile                 = "kcap.file"
+	configFile               = "config-file"
+	debugPrivilege           = "debug-privilege"
+	initHandleSnapshot       = "handle.init-snapshot"
+	enumerateHandles         = "handle.enumerate-handles"
+	symbolPaths              = "symbol-paths"
+	symbolizeKernelAddresses = "symbolize-kernel-addresses"
 
 	serializeThreads = "kevent.serialize-threads"
 	serializeImages  = "kevent.serialize-images"
@@ -72,9 +75,9 @@ const (
 	serializeEnvs    = "kevent.serialize-envs"
 )
 
-// Config stores configuration options for fine tuning the behaviour of Fibratus.
+// Config stores configuration options for fine-tuning the behaviour of Fibratus.
 type Config struct {
-	// Kstream stores different configuration options for fine tuning kstream consumer/controller settings.
+	// Kstream stores different configuration options for fine-tuning kstream consumer/controller settings.
 	Kstream KstreamConfig `json:"kstream" yaml:"kstream"`
 	// Filament contains filament settings
 	Filament FilamentConfig `json:"filament" yaml:"filament"`
@@ -87,9 +90,18 @@ type Config struct {
 	// EnumerateHandles indicates if process handles are collected during startup or
 	// when a new process is spawn
 	EnumerateHandles bool `json:"enumerate-handles" yaml:"enumerate-handles"`
-
+	// SymbolPaths designates the path or a series of paths separated by a semicolon
+	// that is used to search for symbols files.
+	SymbolPaths string `json:"symbol-paths" yaml:"symbols-paths"`
+	// SymbolizeKernelAddresses determines if kernel stack addresses are symbolized.
+	SymbolizeKernelAddresses bool `json:"symbolize-kernel-addresses" yaml:"symbolize-kernel-addresses"`
+
+	// DebugPrivilege dictates if the SeDebugPrivilege is injected into
+	// Fibratus process' access token.
 	DebugPrivilege bool `json:"debug-privilege" yaml:"debug-privilege"`
-	KcapFile       string
+
+	// KcapFile represents the name of the capture file.
+	KcapFile string
 
 	// API stores global HTTP API preferences
 	API APIConfig `json:"api" yaml:"api"`
@@ -261,6 +273,8 @@ func (c *Config) Init() error {
 
 	c.InitHandleSnapshot = c.viper.GetBool(initHandleSnapshot)
 	c.EnumerateHandles = c.viper.GetBool(enumerateHandles)
+	c.SymbolPaths = c.viper.GetString(symbolPaths)
+	c.SymbolizeKernelAddresses = c.viper.GetBool(symbolizeKernelAddresses)
 	c.DebugPrivilege = c.viper.GetBool(debugPrivilege)
 	c.KcapFile = c.viper.GetString(kcapFile)
 
@@ -327,6 +341,13 @@ func (c *Config) Validate() error {
 // File returns the config file path.
 func (c *Config) File() string { return c.viper.GetString(configFile) }
 
+// SymbolPathsUTF16 returns the symbol paths as UTF16 string
+// suitable for use in the Debug Helper API functions.
+func (c *Config) SymbolPathsUTF16() *uint16 {
+	paths, _ := windows.UTF16PtrFromString(c.SymbolPaths)
+	return paths
+}
+
 func (c *Config) addFlags() {
 	c.flags.String(configFile, filepath.Join(os.Getenv("PROGRAMFILES"), "fibratus", "config", "fibratus.yml"), "Indicates the location of the configuration file")
 	if c.opts.run || c.opts.replay || c.opts.validate {
@@ -360,6 +381,8 @@ func (c *Config) addFlags() {
 	if c.opts.run || c.opts.capture {
 		c.flags.Bool(initHandleSnapshot, false, "Indicates whether initial handle snapshot is built. This implies scanning the system handles table and producing an entry for each handle object")
 		c.flags.Bool(enumerateHandles, false, "Indicates if process handles are collected during startup or when a new process is spawn")
+		c.flags.String(symbolPaths, "srv*c:\\\\SymCache*https://msdl.microsoft.com/download/symbols", "Designates the path or a series of paths separated by a semicolon that is used to search for symbols files")
+		c.flags.Bool(symbolizeKernelAddresses, false, "Determines if kernel stack addresses are symbolized")
 
 		c.flags.Bool(enableThreadKevents, true, "Determines whether thread kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableRegistryKevents, true, "Determines whether registry kernel events are collected by Kernel Logger provider")
@@ -370,6 +393,7 @@ func (c *Config) addFlags() {
 		c.flags.Bool(enableMemKevents, true, "Determines whether memory manager kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableAuditAPIEvents, true, "Determines whether kernel audit API calls events are published")
 		c.flags.Bool(enableDNSEvents, true, "Determines whether DNS client events are enabled")
+		c.flags.Bool(stackEnrichment, true, "Indicates if stack enrichment is enabled for eligible events")
 		c.flags.Int(bufferSize, int(maxBufferSize), "Represents the amount of memory allocated for each event tracing session buffer, in kilobytes. The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires less memory but it increases the rate at which buffers must be flushed)")
 		c.flags.Int(minBuffers, int(defaultMinBuffers), "Determines the minimum number of buffers allocated for the event tracing session's buffer pool")
 		c.flags.Int(maxBuffers, int(defaultMaxBuffers), "Determines the maximum number of buffers allocated for the event tracing session's buffer pool")

pkg/config/kstream.go

@@ -40,6 +40,7 @@ const (
 	enableMemKevents      = "kstream.enable-mem"
 	enableAuditAPIEvents  = "kstream.enable-audit-api"
 	enableDNSEvents       = "kstream.enable-dns"
+	stackEnrichment       = "kstream.stack-enrichment"
 	bufferSize            = "kstream.buffer-size"
 	minBuffers            = "kstream.min-buffers"
 	maxBuffers            = "kstream.max-buffers"
@@ -77,6 +78,8 @@ type KstreamConfig struct {
 	EnableAuditAPIEvents bool `json:"enable-audit-api" yaml:"enable-audit-api"`
 	// EnableDNSEvents indicates if DNS client events are enabled
 	EnableDNSEvents bool `json:"enable-dns" yaml:"enable-dns"`
+	// StackEnrichment indicates if stack enrichment is enabled for eligible events.
+	StackEnrichment bool `json:"stack-enrichment" yaml:"stack-enrichment"`
 	// BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes.
 	// The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires
 	// less memory, but it increases the rate at which buffers must be flushed).
@@ -106,6 +109,7 @@ func (c *KstreamConfig) initFromViper(v *viper.Viper) {
 	c.EnableMemKevents = v.GetBool(enableMemKevents)
 	c.EnableAuditAPIEvents = v.GetBool(enableAuditAPIEvents)
 	c.EnableDNSEvents = v.GetBool(enableDNSEvents)
+	c.StackEnrichment = v.GetBool(stackEnrichment)
 	c.BufferSize = uint32(v.GetInt(bufferSize))
 	c.MinBuffers = uint32(v.GetInt(minBuffers))
 	c.MaxBuffers = uint32(v.GetInt(maxBuffers))

pkg/config/schema_windows.go

@@ -95,8 +95,10 @@ var schema = `
 			},
 			"additionalProperties": false
 		},
-		"config-file": 		{"type": "string"},
-		"debug-privilege":  {"type": "boolean"},
+		"config-file": 						{"type": "string"},
+		"debug-privilege":  				{"type": "boolean"},
+		"symbol-paths":						{"type": "string"},
+		"symbolize-kernel-addresses":		{"type": "boolean"},
 		"handle": {
 			"type": "object",
 			"properties": {
@@ -165,6 +167,7 @@ var schema = `
 				"enable-mem": 		{"type": "boolean"},
 				"enable-audit-api": {"type": "boolean"},
 				"enable-dns": 		{"type": "boolean"},
+				"stack-enrichment": {"type": "boolean"},
 				"min-buffers": 		{"type": "integer", "minimum": 1, "maximum": {{ .MinBuffers }}},
 				"max-buffers": 		{"type": "integer", "minimum": 2, "maximum": {{ .MaxBuffers }}},
 				"buffer-size":		{"type": "integer", "maximum": {{ .MaxBufferSize }}},

pkg/filament/filament.go

@@ -569,6 +569,7 @@ func (f *filament) onInterval(fn *cpython.PyObject) {
 			}
 			f.gil.Unlock()
 		case <-f.close:
+			return
 		}
 	}
 }