int32_t TraversalDirCallback(const char *pCurPath, struct dirent *pInfo, void *pContext)
{
/* not a directory */
if ((pInfo->d_type & DT_DIR) == 0)
{
return 0;
}
/* not a process directory */
if ((pInfo->d_name[0] > '9') || (pInfo->d_name[0] < '0'))
{
return 0;
}
{
char c8Name[_POSIX_PATH_MAX];
int32_t s32Err;
s32Err = GetProcessNameFromPID(c8Name, _POSIX_PATH_MAX, atoi(pInfo->d_name));
if (s32Err != 0)
{
/* PRINT("s32Err: 0x%08x\n", s32Err);*/
return 0;
}
/* PRINT("pInfo->d_name: %s, c8Name: %s\n", pInfo->d_name, c8Name);*/
if (strstr(c8Name, (const char *)pContext) != NULL)
{
return 1;
}
}
return 0;
}
///
/// @brief 프로세스가 실행될 때 Callback
///
NTSTATUS WINAPI ZwResumeThreadCallback(HANDLE ThreadHandle, PULONG SuspendCount)
{
NTSTATUS status = NULL;
HMODULE hMod = NULL;
FARPROC pFuncThread = NULL;
DWORD dwPID = 0;
/// 스레드 핸들로 프로세스의 이름을 얻음
int nPID = GetProcessIdOfThread(ThreadHandle);
if(GetCurrentProcessId() != nPID)
{
CString strProcessName = GetProcessNameFromPID(nPID);
/// 부모 IE에서 생성되는 프로세스(자식 프로세스)가 iexplore.exe이면 DLL 인젝션
InjectDLLToIEChild(strProcessName, nPID);
}
return ZwResumeThreadNext(ThreadHandle, SuspendCount);
}
