While I was checking a malware I stumbled on a piece of code using GlblcntUsage I have not seen before. GlblcntUsage is a member of MODULEENTRY32 structure and, according to MSDN, it’s defined as: “the load count of the module, which is not generally meaningful, and usually equal to 0xFFFF”. There’s a piece of code on Github written by Justin Seitz about the use of GlblcntUsage, it’s not the same sample code but it’s somehow related to the idea implemented inside the malware.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

This is the scenario: the malware installs some API hooks using Martona’s hook library and, at a certain point it needs to un-hook one of them. The un-hook procedure is not directly called, the call depends on the value stored inside GlblcntUsage, here is the pseudo code:

void UnHook(hModule) {
   DWORD th32ProcessID;
   int countVal;
   
   th32ProcessID = GetCurrentProcessId();
   countVal = GetGlblcntUsageValueOfSpecificHModule(hModule, th32ProcessID);
   if (countVal != 1)
      return();
   
   /* Un-hook!!! */
}
int GetGlblcntUsageValueOfSpecificHModule(_hModule, _th32ProcessID) {
   MODULEENTRY32 me;
   HANDLE hSnap;
   uint _GlblcntUsage = 0;
   hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, _th32ProcessID);
   if (Module32First(hSnap, &me)) {
      while (me.hModule != _hModule) {
         if (!Module32Next(hSnap, &me) {
            CloseHandle(hSnap);
            return(_GlblcntUsage);
         }
      }
      _GlblcntUsage = me.GlblcntUsage;
   }
   CloseHandle(hSnap);
   return(_GlblcntUsage);
}

If the module has not been loaded the returned value is 0 otherwise it’s the content of GlblcntUsage variable. Un-hook takes place if and only if the returned count value from GetGlblcntUsageValueOfSpecificModule is exactly 1.

By admin