yoinking UUIDs from windows for malware development

Bot ID’s are fairly important when you’re developing malware and you want to discern one infected host from another. In my mission to develop passable malware (for fun and zero profit, of course) I knew this was something I’d have to work on.

In my web development work, unique identifiers is a fairly simple problem. I tend to use some combination of the timestamp of the creation of the piece of data and a cryptographic hash of some unique point in the data, like so:

post: {
	title: blah,
	desc: blah blah,
	posted: 123456,
	id: 123456_<md5(title+"_"+desc)>
}

With this schema, the only way to get a UUID collision is if the same exact post with the same title and description is posted at the same time, down to the millisecond. This also has the added benefit of adding more useful data to the UUID: you basically get timestamp storage associated with the UUID’s, which means you can sort them fairly easily. This isn’t that useful, just a fun addition.

With malware, it’s a bit different. You have access to the whole OS (in theory) so the things you can create a UUID on are plentiful. I had a couple ideas, initially:

A hash of a C:\ directory listing. Recursively list the whole C:\ directory and then hash that list. Not a horrible idea, but in the case of, say, malware research machines or newer/more sparsely used machines, they’re frequently spun up, nothing is done to change the OS and then the malware is run… so there’s actually a decent chance of UUID collision in that case. Plus recursively listing the whole file system just to create a UUID seemed a bit much.
A timestamp of the initial infection. This one isn’t too bad, honestly, and if I didn’t find the use case I ended up going with, I’d use this one. MS-level timestamps could possibly collide at a large enough scale… but it’s not too likely.
The user ID combined with the public IP combined with the infection timestamp. I didn’t love this because the user ID has a high likelihood of collision, and the IP situation gets hairy in instances where victims are subnetted or are in some non-standard web setup.

So, what is to be done?

Microsoft Likes Money

Turns out, the answer is pretty simple: Microsoft works on a licensing basis, so they’re bound to have some sort of per-system UUID.

wmic csproduct get uuid

This command uses WMIC (Windows Management Instrumentation Command Line Interface… seriously windows???) to grab the UUID for the system. Now, according to Microsoft, WMIC might be deprecated in newer versions of Windows… but who tf is upgrading their Windows distros anyways? Plus, deprecated tools in Windows tend to just… keep working for a long time anyways. I haven’t tested this out, but the article listed above also states you can do this same thing via PowerShell, so I’ll probably just implement a check to see if the WMIC command worked and, if not, run it via PowerShell.

I’m going to hash the UUID from MSFT because honestly I don’t like having hyphens in my UUIDs… it’s an aesthetic choice, mainly.

Check out more malware dev articles!