HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 208,
"key": "nls-code-injection-through-registry",
"unprotect_id": "U1237",
"name": "NLS Code Injection Through Registry",
"description": "Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.\r\n\r\nThere are two ways to accomplish this technique:\r\n1. Calling the `SetThreadLocale` function and setting up an export function named `NlsDllCodePageTranslation`, where the main payload is located.\r\n2. Using the `SetConsoleCp` or `SetConsoleOutputCP` functions to modify the code page ID. If the process is not console-based, it is possible to allocate a console using the `AllocConsole` function.",
"resources": "https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
"creation_date": "2022-06-20T04:57:44.171000Z",
"tags": "Dll injection, registry modification, NLS code page ID, SetThreadLocale, NlsDllCodePageTranslation, SetConsoleCp, SetConsoleOutputCP, AllocConsole, malware, proof of concept, position-independent shellcode, remote process, stager, loading of DLL",
"modification_date": "2023-10-04T10:42:36.449000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
6,
12,
23,
313,
321,
322,
329,
356,
381,
401,
411,
445,
450
],
"contributors": [
5
]
}
