Public Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare Sub RaiseException Lib "kernel32" _ Alias "RaiseException" (ByVal dwExceptionCode As Long, _ ByVal dwExceptionFlags As Long, _ ByVal nNumberOfArguments As Long, lpArguments As Long) Public Declare Function CreateFile Lib "kernel32" _ Alias "CreateFileA" (ByVal lpFileName As String, _ ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, _ lpSecurityAttributes As ANY, _ ByVal dwCreationDisposition As Long, _ ByVal dwFlagsAndAttributes As Long, _ ByVal hTemplateFile As Long) As Long Public Declare Function CloseHandle Lib "kernel32" _ Alias "CloseHandle" (ByVal hObject As Long) As Long Public Const GENERIC_WRITE = &H40000000 Public Const GENERIC_READ = &H80000000 Public Const FILE_SHARE_READ = &H1 Public Const FILE_SHARE_WRITE = &H2 Public Const OPEN_EXISTING = 3 Public Const FILE_ATTRIBUTE_NORMAL = &H80 Public Const EXCEPTION_ACCESS_VIOLATION = &HC0000005 Public Sub HackerScan() Dim hFile As Long, retVal As Long Dim sRegMonClass As String, sFileMonClass As String '\\We break up the class names to avoid detection in a hex editor sRegMonClass = "R" & "e" & "g" & "m" & "o" & "n" & _ "C" & "l" & "a" & "s" & "s" sFileMonClass = "F" & "i" & "l" & "e" & "M" & "o" & _ "n" & "C" & "l" & "a" & "s" & "s" '\\See if RegMon or FileMon are running Select Case True Case FindWindow(sRegMonClass, vbNullString) <> 0 'Regmon is running...throw an access violation RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 Case FindWindow(sFileMonClass, vbNullString) <> 0 'FileMon is running...throw an access violation RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 End Select '\\So far so good...check for SoftICE in memory hFile = CreateFile("\\.\SICE", GENERIC_WRITE Or GENERIC_READ, _ FILE_SHARE_READ Or FILE_SHARE_WRITE, 0, OPEN_EXISTING, _ FILE_ATTRIBUTE_NORMAL, 0) If hFile <> -1 Then 'SoftICE is detected. retVal = CloseHandle(hFile) ' Close the file handle RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 Else 'SoftICE is not found for windows 9x, check for NT. hFile = CreateFile("\\.\NTICE", GENERIC_WRITE Or GENERIC_READ, _ FILE_SHARE_READ Or FILE_SHARE_WRITE, 0, OPEN_EXISTING, _ FILE_ATTRIBUTE_NORMAL, 0) If hFile <> -1 Then 'SoftICE is detected. retVal = CloseHandle(hFile) ' Close the file handle RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 End If End If End Sub |