0

I was trying to get pSID from SidStart value of ACCESS_ALLOWED_ACE structure and could not get it for some time.

I found PInvoke for DWORD-aligned handles to memory, but unfortunately I cannot add comments just yet.

The person gets the pSid from ACE pointer offset by 8 as follows (don't mind the "deniedAceIntPtr")

IntPtr tempSid = IntPtr.Add(deniedAceIntPtr, 8);

My question is, where does the 8 come from?

Is it because SidStart in ACCESS_ALLOWED_ACE comes after ACE_HEADER and ACCESS_MASK which are both of 4 bytes? So 4+4=8 and SidStart starts after those two at the IntPtr address of the ACE?

Getting the pSid and later SidString using ConvertSidToStringSidW works for me.

Charlieface
  • 52,284
  • 6
  • 19
  • 43
YellowFrog
  • 13
  • 2

1 Answers1

0

According to ACCESS_DENIED_ACE structure, You can refer to SidStart directly And Yes, sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)=8BYTE.

YangXiaoPo-MSFT
  • 1,589
  • 1
  • 4
  • 22
  • Yeah, I had SidStart in the form of UInt32, but had no idea how to get an actual SID from that. Offsetting the pointer by those 8 bytes gave me a pointer to SID and then I could convert that to SID string. Thanks for confirming. – YellowFrog Jun 17 '22 at 10:53