While I was checking a malware I stumbled on a piece of code using GlblcntUsage I have not seen before. GlblcntUsage is a member of MODULEENTRY32 structure and, according to MSDN, it’s defined as: “the load count of the module, which is not generally meaningful, and usually equal to 0xFFFF”. There’s a piece of code on Github written by Justin Seitz about the use of GlblcntUsage, it’s not the same sample code but it’s somehow related to the idea implemented inside the malware.
This is the scenario: the malware installs some API hooks using Martona’s hook library and, at a certain point it needs to un-hook one of them. The un-hook procedure is not directly called, the call depends on the value stored inside GlblcntUsage, here is the pseudo code:
void UnHook(hModule) { DWORD th32ProcessID; int countVal; th32ProcessID = GetCurrentProcessId(); countVal = GetGlblcntUsageValueOfSpecificHModule(hModule, th32ProcessID); if (countVal != 1) return(); /* Un-hook!!! */ } int GetGlblcntUsageValueOfSpecificHModule(_hModule, _th32ProcessID) { MODULEENTRY32 me; HANDLE hSnap; uint _GlblcntUsage = 0; hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, _th32ProcessID); if (Module32First(hSnap, &me)) { while (me.hModule != _hModule) { if (!Module32Next(hSnap, &me) { CloseHandle(hSnap); return(_GlblcntUsage); } } _GlblcntUsage = me.GlblcntUsage; } CloseHandle(hSnap); return(_GlblcntUsage); }
If the module has not been loaded the returned value is 0 otherwise it’s the content of GlblcntUsage variable. Un-hook takes place if and only if the returned count value from GetGlblcntUsageValueOfSpecificModule is exactly 1.
Am I to understand that you can indeed decrypt these files?? I have my reason note still and all of the files are still on the SD card where they were when the encryption was done. The files were never on my hard drive ONLY on the card. Can you help me??? Please!?!?!??!?!