SID Binary to SID String

[spudw2k]

Recently I was using csvde to execute some LDAP queries on a domain controller to create some reports.  I noticed that when I queried the objectSID, it was returned (output) in binary format instead of the S-#-#-##-### (string) format I needed to compare with.  I found there was a function I could use in the Security.au3 UDF to convert the SID Binary value to the SID String format; however, the example in the help file collected the SID binary value by using another function to lookup an AD object by name.  Since I already had the SID, this "step" was erroneous to me, but I was still required to do some work to make the _Security__SidToStringSid function accept my binary values--namely creating and populating a DLLStruct before using as a parameter for the SidToSTringSid function.  Below is a small illustration of what I did. It wasn't particularly complicated or difficult, but may provide some insight to folks who don't mess/work with DLLStructs much.  Also, my "real" script utilized a lengthy CSV report and parsed it to replace the binary values with the SID strings.  I just wanted to share this snippet.

#include <security.au3>

msgbox(0,"Builtin\Users",_SIDBinaryToStr("01020000000000052000000021020000"))
msgbox(0,"Builtin\Guests",_SIDBinaryToStr("01020000000000052000000022020000"))
msgbox(0,"Domain Users",_SIDBinaryToStr("010500000000000515000000e2ef6c5193efdefff2b6dd4401020000"))

Func _SIDBinaryToStr($hSID)
    Local $tSID = DllStructCreate("byte SID[256]")
    DllStructSetData($tSID, "SID", Binary("0x" & $hSID))

    Local $sStringSID = _Security__SidToStringSid($tSID)
    Return $sStringSID
EndFunc

 

Edited December 25, 2017 by spudw2k

[water]

My AD UDF already has all needed functions to handle SIDs  

[spudw2k]

I would have liked to have used it too, but the environment I was working in is very locked down.  Scripting and non-approved applications are blocked by application control.  Not only are they blocked, but they are alerted and monitored by a SOC. I had to use the tool(s) available to me, extract the data from the network--thankfully I had that luxury at least--, use autoit outside the environment and upload the data back into the network.

Very inefficient, but my only option--at least the quickest one I knew of.

Edited December 25, 2017 by spudw2k

[water]

You have the luxury of a SOC? Great! But they should establish a process to add applications to a whitelist so th efficiency of the company can be enhanced

[spudw2k]

One would hope, but it's senthsitive. What I need to do is build a case for justification.  For some reason efficiency isn't an easy selling point.

Hell, i'd settle for vbscript or powershell, but if I had my druthers, it'd be autoit.

Edited December 25, 2017 by spudw2k

[Earthshine]

nice work spudw2k, you did what you had to but kept it clean