Bot ID’s are fairly important when you’re developing malware and you want to discern one infected host from another. In my mission to develop passable malware (for fun and zero profit, of course) I knew this was something I’d have to work on.

In my web development work, unique identifiers is a fairly simple problem. I tend to use some combination of the timestamp of the creation of the piece of data and a cryptographic hash of some unique point in the data, like so:

post: {
	title: blah,
	desc: blah blah,
	posted: 123456,
	id: 123456_<md5(title+"_"+desc)>
}

With this schema, the only way to get a UUID collision is if the same exact post with the same title and description is posted at the same time, down to the millisecond. This also has the added benefit of adding more useful data to the UUID: you basically get timestamp storage associated with the UUID’s, which means you can sort them fairly easily. This isn’t that useful, just a fun addition.

With malware, it’s a bit different. You have access to the whole OS (in theory) so the things you can create a UUID on are plentiful. I had a couple ideas, initially:

So, what is to be done?

Microsoft Likes Money

Turns out, the answer is pretty simple: Microsoft works on a licensing basis, so they’re bound to have some sort of per-system UUID.

wmic csproduct get uuid

This command uses WMIC (Windows Management Instrumentation Command Line Interface… seriously windows???) to grab the UUID for the system. Now, according to Microsoft, WMIC might be deprecated in newer versions of Windows… but who tf is upgrading their Windows distros anyways? Plus, deprecated tools in Windows tend to just… keep working for a long time anyways. I haven’t tested this out, but the article listed above also states you can do this same thing via PowerShell, so I’ll probably just implement a check to see if the WMIC command worked and, if not, run it via PowerShell.

I’m going to hash the UUID from MSFT because honestly I don’t like having hyphens in my UUIDs… it’s an aesthetic choice, mainly.

Check out more malware dev articles!