// readSID reads a pointer using the reader then parses the Windows SID
// data that the pointer addresses within the buffer.
func readSID(buffer []byte, reader io.Reader) (*eventlogging.SID, error) {
offset, err := offset(buffer, reader)
if err != nil {
// Ignore NULL values.
if err == ErrorEvtVarTypeNull {
return nil, nil
}
return nil, err
}
sid := (*windows.SID)(unsafe.Pointer(&buffer[offset]))
identifier, err := sid.String()
if err != nil {
return nil, err
}
account, domain, accountType, err := sid.LookupAccount("")
if err != nil {
// Ignore the error and return a partially populated SID.
return &eventlogging.SID{Identifier: identifier}, nil
}
return &eventlogging.SID{
Identifier: identifier,
Name: account,
Domain: domain,
Type: eventlogging.SIDType(accountType),
}, nil
}
// readSID reads a pointer using the reader then parses the Windows SID
// data that the pointer addresses within the buffer.
func readSID(buffer []byte, reader io.Reader) (*eventlogging.SID, error) {
offset, err := offset(buffer, reader)
if err != nil {
// Ignore NULL values.
if err == ErrorEvtVarTypeNull {
return nil, nil
}
return nil, err
}
sid := (*windows.SID)(unsafe.Pointer(&buffer[offset]))
account, domain, accountType, err := sid.LookupAccount("")
if err != nil {
return nil, err
}
return &eventlogging.SID{
Name: account,
Domain: domain,
SIDType: eventlogging.SIDType(accountType),
}, nil
}
