shadowbrokers-exploits/windows/Resources/Tasking/Scripts/Include/_regQueryTasking.dsi
2017-04-14 11:45:07 +02:00

61 lines
1.6 KiB
Text

sub _regQueryTasking(IN STRING $regQueryTxtFile, OUT STRING $regQueryCmd, OUT STRING $taskID, OUT STRING $targetID) {
string $lines;
if (!ReadFile ($regQueryTxtFile, $lines)) {
return false;
}
# Process regQuery parameters
string $taskIDStr;
string $targetIDStr;
string $rootStr = "";
string $root = "";
string $subKeyStr = "";
string $subKey = "";
$regQueryCmd = "registryquery";
echo "\nProcessing $regQueryTxtFile";
for (int $i=0; $i < sizeof($lines); $i++) {
string $line = $lines[$i];
string $hive = "";
# TargetID is required
if (RegexMatch("TargetID", $line)) {
RegExSplit(" ", $line, 2, $targetIDStr);
$targetID = $targetIDStr[1];
}
# TaskID is required
if (RegexMatch("TaskID", $line)) {
RegExSplit(" ", $line, 2, $taskIDStr);
$taskID = $taskIDStr[1];
}
if (RegexMatch("RootKey", $line)) {
RegExSplit(" ", $line, 2, $rootStr);
$root = $rootStr[1];
if (RegexMatch("HKEY_LOCAL_MACHINE", $line)) {
$hive = "L";
}
else if (RegexMatch("HKEY_USERS", $line)) {
$hive = "U";
}
else if (RegexMatch("HKEY_CURRENT_USER", $line)) {
$hive = "C";
}
else if (RegexMatch("HKEY_CURRENT_CONFIG", $line)) {
$hive = "G";
}
else if (RegexMatch("HKEY_CLASSES_ROOT", $line)) {
$hive = "R";
}
$regQueryCmd = "$regQueryCmd -hive $hive";
}
if (RegexMatch("Subkey", $line)) {
RegExSplit(" ", $line, 0, $subKeyStr);
$subKey = $subKeyStr[1];
$regQueryCmd = "$regQueryCmd -key $subKey";
}
}
return true;
}