Language Code Page Spoof

1. bool set_memory(unsigned char* address, void* data, unsigned int size)
2. {
3.     MEMORY_BASIC_INFORMATION mbi;
4.  
5.     if (VirtualQuery(address, &mbi, sizeof(MEMORY_BASIC_INFORMATION)) != sizeof(MEMORY_BASIC_INFORMATION))
6.         return false;
7.  
8.     if (!mbi.Protect || (mbi.Protect & PAGE_GUARD))
9.         return false;
10.  
11.     unsigned long protection = 0;
12.  
13.     if (!(mbi.Protect & PAGE_EXECUTE_READWRITE))
14.         if (!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &protection))
15.             return false;
16.  
17.     memcpy(address, data, size);
18.  
19.     return (protection ? VirtualProtect(mbi.BaseAddress, mbi.RegionSize, protection, &protection) != FALSE : true);
20. }
21.  
22. void language_codepage_spoof()
23. {
24.     HMODULE kernel_lib = GetModuleHandle("KERNELBASE.DLL");
25.  
26.     if (!kernel_lib)
27.         kernel_lib = GetModuleHandle("KERNEL32.DLL");
28.  
29.     set_memory(reinterpret_cast<unsigned char*>((DWORD)GetProcAddress(kernel_lib, "GetACP")), "\xB8\xB5\x03\x00\x00", 5); /* 0x3A4 = JMS | 0x3B5 = KMS */
30.     set_memory(reinterpret_cast<unsigned char*>((DWORD)GetProcAddress(kernel_lib, "GetSystemDefaultLangID")), "\xB8\x11\x04\x00\x00\xC3", 6); /* 0x411 = JMS | 0x412 = KMS */
31. }