dissect.util.sid#

Module Contents#

Functions#

read_sid

Read a Windows SID from bytes.

dissect.util.sid.read_sid(fh: BinaryIO | bytes, endian: str = '<') str#

Read a Windows SID from bytes.

Normally we’d do this with cstruct, but do it with just struct to keep dissect.util dependency-free. On the upside, this also improves performance!

This is equivalent to the following structure:

typedef struct _SID {
    BYTE        Revision;
    BYTE        SubAuthorityCount;
    CHAR        IdentifierAuthority[6];
    DWORD       SubAuthority[SubAuthorityCount];
} SID;
Parameters:
  • fh – A file-like object or bytes object to read the SID from.

  • endian – Optional endianness for reading the sub authorities.