dissect.util.sid

Module Contents

Functions

read_sid

Read a Windows SID from bytes.

dissect.util.sid.read_sid(fh: BinaryIO | bytes, endian: str = '<') → str

Read a Windows SID from bytes.

Normally we’d do this with cstruct, but do it with just struct to keep dissect.util dependency-free. On the upside, this also improves performance!

This is equivalent to the following structure:

typedef struct _SID {
    BYTE        Revision;
    BYTE        SubAuthorityCount;
    CHAR        IdentifierAuthority[6];
    DWORD       SubAuthority[SubAuthorityCount];
} SID;

Parameters:

• fh – A file-like object or bytes object to read the SID from.

• endian – Optional endianness for reading the sub authorities.