From 9e6b71e5df55d6400a4c15ac00993faf33f88ed5 Mon Sep 17 00:00:00 2001
From: lhodges1 <lachiehodges7785@gmail.com>
Date: Sun, 20 Aug 2023 19:17:03 +1000
Subject: [PATCH] oh my fgosh we got it working

---
 driver/modules.c   |  2 +-
 service/Types.cs   | 12 ++++--------
 service/Worker.cs  |  3 ++-
 user/km/driver.cpp |  2 +-
 user/report.h      |  4 ++--
 5 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/driver/modules.c b/driver/modules.c
index 02fc9fe..b633bc0 100644
--- a/driver/modules.c
+++ b/driver/modules.c
@@ -433,7 +433,7 @@ NTSTATUS HandleValidateDriversIOCTL(
 			report.report_code = REPORT_MODULE_VALIDATION_FAILURE;
 			report.report_type = head->first_entry->reason;
 			report.driver_base_address = head->first_entry->driver->DriverStart;
-			report.driver_size = head->first_entry->driver->Size;
+			report.driver_size = head->first_entry->driver->DriverSize;
 
 			ANSI_STRING string;
 			string.Length = 0;
diff --git a/service/Types.cs b/service/Types.cs
index 0216e2f..ec210e9 100644
--- a/service/Types.cs
+++ b/service/Types.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Numerics;
 using System.Runtime.InteropServices;
 using System.Text;
 using System.Threading.Tasks;
@@ -53,18 +54,13 @@ namespace service
             public UInt64 InvalidRip;
         }
 
-        [StructLayout(LayoutKind.Explicit)]
+        [StructLayout(LayoutKind.Sequential)]
         public unsafe struct MODULE_VALIDATION_FAILURE
         {
-            [FieldOffset(0)]
             public int ReportCode;
-            [FieldOffset(0)]
             public int ReportType;
-            [FieldOffset(0)]
-            public UInt64 DriverBaseAddress;
-            [FieldOffset(0)]
-            public UInt64 DriverSize;
-            [FieldOffset(0)]
+            public long DriverBaseAddress;
+            public long DriverSize;
             public fixed char ModuleName[128];
         }
     }
diff --git a/service/Worker.cs b/service/Worker.cs
index 4c4733c..c88e48b 100644
--- a/service/Worker.cs
+++ b/service/Worker.cs
@@ -161,8 +161,9 @@ namespace service
 
                     var kernelModuleFailure = BytesToStructure<MODULE_VALIDATION_FAILURE>();
 
-                    _logger.LogInformation("Report code: {0}, DriverBaseAddress: {1}, DriverSize: {2}",
+                    _logger.LogInformation("Report code: {0}, REportType: {1}, DriverBaseAddress: {2}, DriverSize: {3}",
                         kernelModuleFailure.ReportCode,
+                        kernelModuleFailure.ReportType,
                         kernelModuleFailure.DriverBaseAddress,
                         kernelModuleFailure.DriverSize);
 
diff --git a/user/km/driver.cpp b/user/km/driver.cpp
index d95ebaa..8ffe186 100644
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@@ -124,7 +124,7 @@ void kernelmode::Driver::VerifySystemModules()
 				( UINT64 )buffer + sizeof( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER ) + 
 				i * sizeof( global::report_structures::MODULE_VALIDATION_FAILURE ) );
 
-		this->report_interface->ReportViolation( &report );
+		this->report_interface->ReportViolation( report );
 	}
 
 	free( buffer );
diff --git a/user/report.h b/user/report.h
index 8f96bee..95a5b44 100644
--- a/user/report.h
+++ b/user/report.h
@@ -43,8 +43,8 @@ namespace global
 			header.message_type = REPORT_PACKET_ID;
 			memcpy( this->buffer, &header, sizeof( global::headers::PIPE_PACKET_HEADER ) );
 
-			memcpy( this->buffer + sizeof( global::headers::PIPE_PACKET_HEADER ), Report, sizeof(T));
-			this->client->WriteToPipe( buffer, sizeof(T) );
+			memcpy( PVOID( ( UINT64 )this->buffer + sizeof( global::headers::PIPE_PACKET_HEADER ) ), Report, sizeof( T ) );
+			this->client->WriteToPipe( buffer, sizeof(T) + sizeof( global::headers::PIPE_PACKET_HEADER ) );
 			RtlZeroMemory( this->buffer, REPORT_BUFFER_SIZE );
 
 			mutex.unlock();