oh my fgosh we got it working

2024-11-21 22:24:08 +01:00 · 2023-08-20 19:17:03 +10:00 · 2023-08-20 19:17:03 +10:00 · 9e6b71e5df
commit 9e6b71e5df
parent 78246338df
5 changed files with 10 additions and 13 deletions
--- a/driver/modules.c
+++ b/driver/modules.c
@ -433,7 +433,7 @@ NTSTATUS HandleValidateDriversIOCTL(
 			report.report_code = REPORT_MODULE_VALIDATION_FAILURE;
 			report.report_type = head->first_entry->reason;
 			report.driver_base_address = head->first_entry->driver->DriverStart;
-			report.driver_size = head->first_entry->driver->Size;
+			report.driver_size = head->first_entry->driver->DriverSize;

 			ANSI_STRING string;
 			string.Length = 0;
--- a/service/Types.cs
+++ b/service/Types.cs
@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Numerics;
 using System.Runtime.InteropServices;
 using System.Text;
 using System.Threading.Tasks;
@ -53,18 +54,13 @@ namespace service
            public UInt64 InvalidRip;
        }

-        [StructLayout(LayoutKind.Explicit)]
+        [StructLayout(LayoutKind.Sequential)]
        public unsafe struct MODULE_VALIDATION_FAILURE
        {
-            [FieldOffset(0)]
            public int ReportCode;
-            [FieldOffset(0)]
            public int ReportType;
-            [FieldOffset(0)]
-            public UInt64 DriverBaseAddress;
-            [FieldOffset(0)]
-            public UInt64 DriverSize;
-            [FieldOffset(0)]
+            public long DriverBaseAddress;
+            public long DriverSize;
            public fixed char ModuleName[128];
        }
    }
--- a/service/Worker.cs
+++ b/service/Worker.cs
@ -161,8 +161,9 @@ namespace service

                    var kernelModuleFailure = BytesToStructure<MODULE_VALIDATION_FAILURE>();

-                    _logger.LogInformation("Report code: {0}, DriverBaseAddress: {1}, DriverSize: {2}",
+                    _logger.LogInformation("Report code: {0}, REportType: {1}, DriverBaseAddress: {2}, DriverSize: {3}",
                        kernelModuleFailure.ReportCode,
+                        kernelModuleFailure.ReportType,
                        kernelModuleFailure.DriverBaseAddress,
                        kernelModuleFailure.DriverSize);

--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -124,7 +124,7 @@ void kernelmode::Driver::VerifySystemModules()
 				( UINT64 )buffer + sizeof( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER ) + 
 				i * sizeof( global::report_structures::MODULE_VALIDATION_FAILURE ) );

-		this->report_interface->ReportViolation( &report );
+		this->report_interface->ReportViolation( report );
 	}

 	free( buffer );
--- a/user/report.h
+++ b/user/report.h
@ -43,8 +43,8 @@ namespace global
 			header.message_type = REPORT_PACKET_ID;
 			memcpy( this->buffer, &header, sizeof( global::headers::PIPE_PACKET_HEADER ) );

-			memcpy( this->buffer + sizeof( global::headers::PIPE_PACKET_HEADER ), Report, sizeof(T));
-			this->client->WriteToPipe( buffer, sizeof(T) );
+			memcpy( PVOID( ( UINT64 )this->buffer + sizeof( global::headers::PIPE_PACKET_HEADER ) ), Report, sizeof( T ) );
+			this->client->WriteToPipe( buffer, sizeof(T) + sizeof( global::headers::PIPE_PACKET_HEADER ) );
 			RtlZeroMemory( this->buffer, REPORT_BUFFER_SIZE );

 			mutex.unlock();