HackerScan

Public Declare Function FindWindow Lib "user32" _
       Alias "FindWindowA" (ByVal lpClassName As String, _
       ByVal lpWindowName As String) As Long

Public Declare Sub RaiseException Lib "kernel32" _
       Alias "RaiseException" (ByVal dwExceptionCode _
       As Long, ByVal dwExceptionFlags As Long, _
       ByVal nNumberOfArguments As Long, lpArguments _
       As Long)

Public Declare Function CreateFile Lib "kernel32" _
       Alias "CreateFileA" (ByVal lpFileName As String, _
       ByVal dwDesiredAccess As Long, _
       ByVal dwShareMode As Long, _
       lpSecurityAttributes As ANY, _
       ByVal dwCreationDisposition As Long, _
       ByVal dwFlagsAndAttributes As Long, _
       ByVal hTemplateFile As Long) As Long

Public Declare Function CloseHandle Lib "kernel32" _
       Alias "CloseHandle" (ByVal hObject As Long) As Long

Public Const GENERIC_WRITE = &H40000000
Public Const GENERIC_READ = &H80000000
Public Const FILE_SHARE_READ = &H1
Public Const FILE_SHARE_WRITE = &H2
Public Const OPEN_EXISTING = 3
Public Const FILE_ATTRIBUTE_NORMAL = &H80
Public Const EXCEPTION_ACCESS_VIOLATION = &HC0000005

Public Sub HackerScan()
  Dim hFile As Long, retVal As Long
  Dim sRegMonClass As String, sFileMonClass As String
 'We break up the class names to avoid detection in a hex editor
  sRegMonClass = "R" & "e" & "g" & "m" & "o" & "n" _
               & "C" & "l" & "a" & "s" & "s"
  sFileMonClass = "F" & "i" & "l" & "e" & "M" & "o" _
                & "n" & "C" & "l" & "a" & "s" & "s"
 'See if RegMon or FileMon are running
  Select Case True
    Case FindWindow(sRegMonClass, vbNullString) <> 0
      'Regmon is running...throw an access violation
       RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
    Case FindWindow(sFileMonClass, vbNullString) <> 0
      'FileMon is running...throw an access violation
       RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
  End Select

'So far so good...check for SoftICE in memory
  hFile = CreateFile("\\.\SICE", GENERIC_WRITE Or _
          GENERIC_READ, FILE_SHARE_READ Or _
          FILE_SHARE_WRITE, 0, OPEN_EXISTING, _
          FILE_ATTRIBUTE_NORMAL, 0)
  If hFile <> -1 Then
   'SoftICE is detected.
    retVal = CloseHandle(hFile) ' Close the file handle
    RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
  Else
   'SoftICE is not found for windows 9x, check for NT.
    hFile = CreateFile("\\.\NTICE", GENERIC_WRITE Or _
            GENERIC_READ, FILE_SHARE_READ Or _
            FILE_SHARE_WRITE, 0, OPEN_EXISTING, _
            FILE_ATTRIBUTE_NORMAL, 0)
    If hFile <> -1 Then
      'SoftICE is detected.
       retVal = CloseHandle(hFile) ' Close the file handle
       RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
    End If
  End If
End Sub
 Assumes:
Simply call this routine before doing any sensitive 
reading or writing to files or the registry...ie 
license information.

Side Effects:
Acces violations, but it is by design. 
See the comment in the code

Public Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long

Public Declare Sub RaiseException Lib "kernel32" _
Alias "RaiseException" (ByVal dwExceptionCode _
As Long, ByVal dwExceptionFlags As Long, _
ByVal nNumberOfArguments As Long, lpArguments _
As Long)

Public Declare Function CreateFile Lib "kernel32" _
Alias "CreateFileA" (ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, _
ByVal dwShareMode As Long, _
lpSecurityAttributes As ANY, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, _
ByVal hTemplateFile As Long) As Long

Public Declare Function CloseHandle Lib "kernel32" _
Alias "CloseHandle" (ByVal hObject As Long) As Long

Public Const GENERIC_WRITE = &H40000000
Public Const GENERIC_READ = &H80000000
Public Const FILE_SHARE_READ = &H1
Public Const FILE_SHARE_WRITE = &H2
Public Const OPEN_EXISTING = 3
Public Const FILE_ATTRIBUTE_NORMAL = &H80
Public Const EXCEPTION_ACCESS_VIOLATION = &HC0000005

Public Sub HackerScan()
Dim hFile As Long, retVal As Long
Dim sRegMonClass As String, sFileMonClass As String
'We break up the class names to avoid detection in a hex editor

sRegMonClass = "R" & "e" & "g" & "m" & "o" & "n" _
& "C" & "l" & "a" & "s" & "s"
sFileMonClass = "F" & "i" & "l" & "e" & "M" & "o" _
& "n" & "C" & "l" & "a" & "s" & "s"
'See if RegMon or FileMon are running

Select Case True
Case FindWindow(sRegMonClass, vbNullString) <> 0
'Regmon is running...throw an access violation

RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
Case FindWindow(sFileMonClass, vbNullString) <> 0
'FileMon is running...throw an access violation

RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
End Select

'So far so good...check for SoftICE in memory

hFile = CreateFile("\\.\SICE", GENERIC_WRITE Or _
GENERIC_READ, FILE_SHARE_READ Or _
FILE_SHARE_WRITE, 0, OPEN_EXISTING, _
FILE_ATTRIBUTE_NORMAL, 0)
If hFile <> -1 Then
'SoftICE is detected.

retVal = CloseHandle(hFile) ' Close the file handle
RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
Else
'SoftICE is not found for windows 9x, check for NT.

hFile = CreateFile("\\.\NTICE", GENERIC_WRITE Or _
GENERIC_READ, FILE_SHARE_READ Or _
FILE_SHARE_WRITE, 0, OPEN_EXISTING, _
FILE_ATTRIBUTE_NORMAL, 0)
If hFile <> -1 Then
'SoftICE is detected.

retVal = CloseHandle(hFile) ' Close the file handle
RaiseException EXCEPTION_ACCESS_VIOLATION, 0, 0, 0
End If
End If
End Sub
Assumes:
Simply call this routine before doing any sensitive
reading or writing to files or the registry...ie
license information.

Side Effects:
Acces violations, but it is by design.
See the comment in the code