`dissect.util.sid`#

Module Contents#

Functions#

read_sid

Read a Windows SID from bytes.

dissect.util.sid.read_sid(fh: Union[BinaryIO, bytes], endian: str = '<') → str#

Read a Windows SID from bytes.

Normally we’d do this with cstruct, but do it with just struct to keep dissect.util dependency-free. On the upside, this also improves performance!

This is equivalent to the following structure:

typedef struct _SID {
    BYTE        Revision;
    BYTE        SubAuthorityCount;
    CHAR        IdentifierAuthority[6];
    DWORD       SubAuthority[SubAuthorityCount];
} SID;

Parameters:

fh – A file-like object or bytes object to read the SID from.
endian – Optional endianness for reading the sub authorities.

dissect.util.sid#

Module Contents#

Functions#

`dissect.util.sid`#