Windows C++ / Geofencing
| Author | Thomas Roccia (fr0gger) |
| Platform | Windows |
| Language | C++ |
| Technique | Geofencing |
Description:
In this code, the IsLanguageInstalled function is used to check if the specified language, indicated by its LCID (Language Code Identifier), is installed on the system. In this case, the malware could check the languages installed on a Windows machine and not run if Russian is present.
Code
#include <Windows.h>
#include <winreg.h>
#define LANG_KEY "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language"
#define RUSSIAN_LCID 1049
// Check if the specified LCID is installed on the system
bool IsLanguageInstalled(LCID lcid)
{
HKEY hKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, LANG_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
DWORD dwIndex = 0;
WCHAR szValueName[32];
DWORD dwValueNameLen = sizeof(szValueName);
while (RegEnumValue(hKey, dwIndex++, szValueName, &dwValueNameLen, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
LCID lcidValue = _wtoi(szValueName);
if (lcidValue == lcid)
{
RegCloseKey(hKey);
return true;
}
}
RegCloseKey(hKey);
}
return false;
}
int main()
{
if (IsLanguageInstalled(RUSSIAN_LCID))
{
// Russian language is installed, do not run malware
return 0;
}
else
{
// Russian language is not installed, run malware
// ...
}
return 0;
}Created
December 13, 2022
Last Revised
April 22, 2024