dissect.util.sid
#
Module Contents#
Functions#
Read a Windows SID from bytes. |
- dissect.util.sid.read_sid(fh: Union[BinaryIO, bytes], endian: str = '<') str #
Read a Windows SID from bytes.
Normally we’d do this with cstruct, but do it with just struct to keep dissect.util dependency-free. On the upside, this also improves performance!
This is equivalent to the following structure:
typedef struct _SID { BYTE Revision; BYTE SubAuthorityCount; CHAR IdentifierAuthority[6]; DWORD SubAuthority[SubAuthorityCount]; } SID;
- Parameters:
fh – A file-like object or bytes object to read the SID from.
endian – Optional endianness for reading the sub authorities.