Public Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare Sub RaiseException Lib "kernel32" _ Alias "RaiseException" (ByVal dwExceptionCode _ As Long, ByVal dwExceptionFlags As Long, _ ByVal nNumberOfArguments As Long, lpArguments _ As Long) Public Declare Function CreateFile Lib "kernel32" _ Alias "CreateFileA" (ByVal lpFileName As String, _ ByVal dwDesiredAccess As Long, _ ByVal dwShareMode As Long, _ lpSecurityAttributes As ANY, _ ByVal dwCreationDisposition As Long, _ ByVal dwFlagsAndAttributes As Long, _ ByVal hTemplateFile As Long) As Long Public Declare Function CloseHandle Lib "kernel32" _ Alias "CloseHandle" (ByVal hObject As Long) As Long Public Const GENERIC_WRITE = &H40000000 Public Const GENERIC_READ = &H80000000 Public Const FILE_SHARE_READ = &H1 Public Const FILE_SHARE_WRITE = &H2 Public Const OPEN_EXISTING = 3 Public Const FILE_ATTRIBUTE_NORMAL = &H80 Public Const EXCEPTION_ACCESS_VIOLATION = &HC0000005 Public Sub HackerScan() Dim hFile As Long, retVal As Long Dim sRegMonClass As String, sFileMonClass As String 'We break up the class names to avoid detection in a hex editor sRegMonClass = "R" & "e" & "g" & "m" & "o" & "n" _ & "C" & "l" & "a" & "s" & "s" sFileMonClass = "F" & "i" & "l" & "e" & "M" & "o" _ & "n" & "C" & "l" & "a" & "s" & "s" 'See if RegMon or FileMon are running Select Case True Case FindWindow(sRegMonClass, vbNullString) <> 0 'Regmon is running...throw an access violation RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 Case FindWindow(sFileMonClass, vbNullString) <> 0 'FileMon is running...throw an access violation RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 End Select 'So far so good...check for SoftICE in memory hFile = CreateFile("\\.\SICE", GENERIC_WRITE Or _ GENERIC_READ, FILE_SHARE_READ Or _ FILE_SHARE_WRITE, 0, OPEN_EXISTING, _ FILE_ATTRIBUTE_NORMAL, 0) If hFile <> -1 Then 'SoftICE is detected. retVal = CloseHandle(hFile) ' Close the file handle RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 Else 'SoftICE is not found for windows 9x, check for NT. hFile = CreateFile("\\.\NTICE", GENERIC_WRITE Or _ GENERIC_READ, FILE_SHARE_READ Or _ FILE_SHARE_WRITE, 0, OPEN_EXISTING, _ FILE_ATTRIBUTE_NORMAL, 0) If hFile <> -1 Then 'SoftICE is detected. retVal = CloseHandle(hFile) ' Close the file handle RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0 End If End If End Sub Assumes: Simply call this routine before doing any sensitive reading or writing to files or the registry...ie license information. Side Effects: Acces violations, but it is by design. See the comment in the code |