shadowbrokers-exploits/windows/Resources/Tasking/Scripts/Include/_regQueryTasking.dsi

sub _regQueryTasking(IN STRING $regQueryTxtFile, OUT STRING $regQueryCmd, OUT STRING $taskID, OUT STRING $targetID) {
	string $lines;
	if (!ReadFile ($regQueryTxtFile, $lines)) {
		return false;
	}
      # Process regQuery parameters
	string $taskIDStr;
	string $targetIDStr;
	string $rootStr = "";
      string $root = "";
	string $subKeyStr = "";
      string $subKey = "";
	$regQueryCmd = "registryquery";

	echo "\nProcessing $regQueryTxtFile";
	for (int $i=0; $i < sizeof($lines); $i++) {
		string $line = $lines[$i];
		string $hive = "";

		# TargetID is required
		if (RegexMatch("TargetID", $line)) {
			RegExSplit(" ", $line, 2, $targetIDStr);
			$targetID = $targetIDStr[1];
		}

		# TaskID is required
		if (RegexMatch("TaskID", $line)) {
			RegExSplit(" ", $line, 2, $taskIDStr);
			$taskID = $taskIDStr[1];
		}

		if (RegexMatch("RootKey", $line)) {
			RegExSplit(" ", $line, 2, $rootStr);
			$root = $rootStr[1];
			if (RegexMatch("HKEY_LOCAL_MACHINE", $line)) {
				$hive = "L";
			}
			else if (RegexMatch("HKEY_USERS", $line)) {
				$hive = "U";
			}
			else if (RegexMatch("HKEY_CURRENT_USER", $line)) {
				$hive = "C";
			}
			else if (RegexMatch("HKEY_CURRENT_CONFIG", $line)) {
				$hive = "G";
			}
			else if (RegexMatch("HKEY_CLASSES_ROOT", $line)) {
				$hive = "R";
			}

			$regQueryCmd = "$regQueryCmd -hive $hive";
		}
		if (RegexMatch("Subkey", $line)) {
			RegExSplit(" ", $line, 0, $subKeyStr);
			$subKey = $subKeyStr[1];
			$regQueryCmd = "$regQueryCmd -key $subKey";
		}
	}

	return true;
}
Inital commit of Shadowbrokers 'Lost in Translation' release 2017-04-14 04:45:07 -05:00			`sub _regQueryTasking(IN STRING $regQueryTxtFile, OUT STRING $regQueryCmd, OUT STRING $taskID, OUT STRING $targetID) {`
			`string $lines;`
			`if (!ReadFile ($regQueryTxtFile, $lines)) {`
			`return false;`
			`}`
			`# Process regQuery parameters`
			`string $taskIDStr;`
			`string $targetIDStr;`
			`string $rootStr = "";`
			`string $root = "";`
			`string $subKeyStr = "";`
			`string $subKey = "";`
			`$regQueryCmd = "registryquery";`

			`echo "\nProcessing $regQueryTxtFile";`
			`for (int $i=0; $i < sizeof($lines); $i++) {`
			`string $line = $lines[$i];`
			`string $hive = "";`

			`# TargetID is required`
			`if (RegexMatch("TargetID", $line)) {`
			`RegExSplit(" ", $line, 2, $targetIDStr);`
			`$targetID = $targetIDStr[1];`
			`}`

			`# TaskID is required`
			`if (RegexMatch("TaskID", $line)) {`
			`RegExSplit(" ", $line, 2, $taskIDStr);`
			`$taskID = $taskIDStr[1];`
			`}`

			`if (RegexMatch("RootKey", $line)) {`
			`RegExSplit(" ", $line, 2, $rootStr);`
			`$root = $rootStr[1];`
			`if (RegexMatch("HKEY_LOCAL_MACHINE", $line)) {`
			`$hive = "L";`
			`}`
			`else if (RegexMatch("HKEY_USERS", $line)) {`
			`$hive = "U";`
			`}`
			`else if (RegexMatch("HKEY_CURRENT_USER", $line)) {`
			`$hive = "C";`
			`}`
			`else if (RegexMatch("HKEY_CURRENT_CONFIG", $line)) {`
			`$hive = "G";`
			`}`
			`else if (RegexMatch("HKEY_CLASSES_ROOT", $line)) {`
			`$hive = "R";`
			`}`

			`$regQueryCmd = "$regQueryCmd -hive $hive";`
			`}`
			`if (RegexMatch("Subkey", $line)) {`
			`RegExSplit(" ", $line, 0, $subKeyStr);`
			`$subKey = $subKeyStr[1];`
			`$regQueryCmd = "$regQueryCmd -key $subKey";`
			`}`
			`}`

			`return true;`
			`}`