3 Structure Examples

The following is an annotated dump of an encoded PAC, beginning with the AD-IF-RELEVANT structure.

 00000000  30 82 05 52 30 82 05 4e a0 04 02 02 00 80 a1 82  0..R0..N........
 00000010  05 44 04 82 05 40 04 00 00 00 00 00 00 00 01 00  .D...@..........
 00000020  00 00 b0 04 00 00 48 00 00 00 00 00 00 00 0a 00  ......H.........
 00000030  00 00 12 00 00 00 f8 04 00 00 00 00 00 00 06 00  ................
 00000040  00 00 14 00 00 00 10 05 00 00 00 00 00 00 07 00  ................
 00000050  00 00 14 00 00 00 28 05 00 00 00 00 00 00 01 10  ......(.........
 00000060  08 00 cc cc cc cc a0 04 00 00 00 00 00 00 00 00  ................
 00000070  02 00 d1 86 66 0f 65 6a c6 01 ff ff ff ff ff ff  ....f.ej........
 00000080  ff 7f ff ff ff ff ff ff ff 7f 17 d4 39 fe 78 4a  ............9.xJ
 00000090  c6 01 17 94 a3 28 42 4b c6 01 17 54 24 97 7a 81  .....(BK...T$.z.
 000000a0  c6 01 08 00 08 00 04 00 02 00 24 00 24 00 08 00  ..........$.$...
 000000b0  02 00 12 00 12 00 0c 00 02 00 00 00 00 00 10 00  ................
 000000c0  02 00 00 00 00 00 14 00 02 00 00 00 00 00 18 00  ................
 000000d0  02 00 54 10 00 00 97 79 2c 00 01 02 00 00 1a 00  ..T....y,.......
 000000e0  00 00 1c 00 02 00 20 00 00 00 00 00 00 00 00 00  ...... .........
 000000f0  00 00 00 00 00 00 00 00 00 00 16 00 18 00 20 00  .............. .
 00000100  02 00 0a 00 0c 00 24 00 02 00 28 00 02 00 00 00  ......$...(.....
 00000110  00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00  ................
 00000120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00000130  00 00 00 00 00 00 0d 00 00 00 2c 00 02 00 00 00  ..........,.....
 00000140  00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00  ................
 00000150  00 00 04 00 00 00 6c 00 7a 00 68 00 75 00 12 00  ......l.z.h.u...
 00000160  00 00 00 00 00 00 12 00 00 00 4c 00 69 00 71 00  ..........L.i.q.
 00000170  69 00 61 00 6e 00 67 00 28 00 4c 00 61 00 72 00  i.a.n.g.(.L.a.r.
 00000180  72 00 79 00 29 00 20 00 5a 00 68 00 75 00 09 00  r.y.). .Z.h.u...
 00000190  00 00 00 00 00 00 09 00 00 00 6e 00 74 00 64 00  ..........n.t.d.
 000001a0  73 00 32 00 2e 00 62 00 61 00 74 00 00 00 00 00  s.2...b.a.t.....
 000001b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 000001c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 000001d0  00 00 1a 00 00 00 61 c4 33 00 07 00 00 00 09 c3  ......a.3.......
 000001e0  2d 00 07 00 00 00 5e b4 32 00 07 00 00 00 01 02  -.....^.2.......
 000001f0  00 00 07 00 00 00 97 b9 2c 00 07 00 00 00 2b f1  ........,.....+.
 00000200  32 00 07 00 00 00 ce 30 33 00 07 00 00 00 a7 2e  2......03.......
 00000210  2e 00 07 00 00 00 2a f1 32 00 07 00 00 00 98 b9  ......*.2.......
 00000220  2c 00 07 00 00 00 62 c4 33 00 07 00 00 00 94 01  ,.....b.3.......
 00000230  33 00 07 00 00 00 76 c4 33 00 07 00 00 00 ae fe  3.....v.3.......
 00000240  2d 00 07 00 00 00 32 d2 2c 00 07 00 00 00 16 08  -.....2.,.......
 00000250  32 00 07 00 00 00 42 5b 2e 00 07 00 00 00 5f b4  2.....B[......_.
 00000260  32 00 07 00 00 00 ca 9c 35 00 07 00 00 00 85 44  2.......5......D
 00000270  2d 00 07 00 00 00 c2 f0 32 00 07 00 00 00 e9 ea  -.......2.......
 00000280  31 00 07 00 00 00 ed 8e 2e 00 07 00 00 00 b6 eb  1...............
 00000290  31 00 07 00 00 00 ab 2e 2e 00 07 00 00 00 72 0e  1.............r.
 000002a0  2e 00 07 00 00 00 0c 00 00 00 00 00 00 00 0b 00  ................
 000002b0  00 00 4e 00 54 00 44 00 45 00 56 00 2d 00 44 00  ..N.T.D.E.V.-.D.
 000002c0  43 00 2d 00 30 00 35 00 00 00 06 00 00 00 00 00  C.-.0.5.........
 000002d0  00 00 05 00 00 00 4e 00 54 00 44 00 45 00 56 00  ......N.T.D.E.V.
 000002e0  00 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00  ................
 000002f0  00 00 59 51 b8 17 66 72 5d 25 64 63 3b 0b 0d 00  ..YQ..fr]%dc;...
 00000300  00 00 30 00 02 00 07 00 00 00 34 00 02 00 07 00  ..0.......4.....
 00000310  00 20 38 00 02 00 07 00 00 20 3c 00 02 00 07 00  . 8...... <.....
 00000320  00 20 40 00 02 00 07 00 00 20 44 00 02 00 07 00  . @...... D.....
 00000330  00 20 48 00 02 00 07 00 00 20 4c 00 02 00 07 00  . H...... L.....
 00000340  00 20 50 00 02 00 07 00 00 20 54 00 02 00 07 00  . P...... T.....
 00000350  00 20 58 00 02 00 07 00 00 20 5c 00 02 00 07 00  . X...... \.....
 00000360  00 20 60 00 02 00 07 00 00 20 05 00 00 00 01 05  . `...... ......
 00000370  00 00 00 00 00 05 15 00 00 00 b9 30 1b 2e b7 41  ...........0...A
 00000380  4c 6c 8c 3b 35 15 01 02 00 00 05 00 00 00 01 05  Ll.;5...........
 00000390  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000003a0  5d 25 64 63 3b 0b 74 54 2f 00 05 00 00 00 01 05  ]%dc;.tT/.......
 000003b0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000003c0  5d 25 64 63 3b 0b e8 38 32 00 05 00 00 00 01 05  ]%dc;..82.......
 000003d0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000003e0  5d 25 64 63 3b 0b cd 38 32 00 05 00 00 00 01 05  ]%dc;..82.......
 000003f0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000400  5d 25 64 63 3b 0b 5d b4 32 00 05 00 00 00 01 05  ]%dc;.].2.......
 00000410  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000420  5d 25 64 63 3b 0b 41 16 35 00 05 00 00 00 01 05  ]%dc;.A.5.......
 00000430  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000440  5d 25 64 63 3b 0b e8 ea 31 00 05 00 00 00 01 05  ]%dc;...1.......
 00000450  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000460  5d 25 64 63 3b 0b c1 19 32 00 05 00 00 00 01 05  ]%dc;...2.......
 00000470  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000480  5d 25 64 63 3b 0b 29 f1 32 00 05 00 00 00 01 05  ]%dc;.).2.......
 00000490  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000004a0  5d 25 64 63 3b 0b 0f 5f 2e 00 05 00 00 00 01 05  ]%dc;.._........
 000004b0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000004c0  5d 25 64 63 3b 0b 2f 5b 2e 00 05 00 00 00 01 05  ]%dc;./[........
 000004d0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 000004e0  5d 25 64 63 3b 0b ef 8f 31 00 05 00 00 00 01 05  ]%dc;...1.......
 000004f0  00 00 00 00 00 05 15 00 00 00 59 51 b8 17 66 72  ..........YQ..fr
 00000500  5d 25 64 63 3b 0b 07 5f 2e 00 00 00 00 00 00 49  ]%dc;.._.......I
 00000510  d9 0e 65 6a c6 01 08 00 6c 00 7a 00 68 00 75 00  ..ej....l.z.h.u.
 00000520  00 00 00 00 00 00 76 ff ff ff 41 ed ce 9a 34 81  ......v...A...4.
 00000530  5d 3a ef 7b c9 88 74 80 5d 25 00 00 00 00 76 ff  ]:.{..t.]%....v.
 00000540  ff ff f7 a5 34 da b2 c0 29 86 ef e0 fb e5 11 0a  ....4...).......
 00000550  4f 32 00 00 00 00                                O2....

The encoded PAC leads with the AuthorizationData structure ([RFC4120] section 5.2.6), the AD-IF-RELEVANT structure, and the AD-WIN2K-PAC authorization data type, as a sort of general prefix in ASN.1 and basic encoding rules (BER) encoding:

 00000000  30 82 05 52 30 82 05 4e a0 04 02 02 00 80 a1 82  0..R0..N........
 00000010  05 44 04 82 05 40                                .D...@

Following that is the serialized PACTYPE (section 2.3) structure. Note that the PACTYPE structure is not NDR-encoded. The first field is the cBuffers field, in little-endian order:

 00000010                    04 00 00 00                          ....     

In this example the cBuffers field indicates four PAC_INFO_BUFFER (section 2.4) structures follow later in the Buffers array field. The next field is the Version field, which is set to 0x00000000:

 00000010                                00 00 00 00                  ....

The next element is the first of the four PAC_INFO_BUFFER structures:

 00000010                                            01 00                ..
 00000020  00 00 b0 04 00 00 48 00 00 00 00 00 00 00        ......H.......

This first PAC_INFO_BUFFER is serialized with ulType in bytes 0x1E through 0x21, containing a little-endian encoding of 0x00000001, or logon information (see KERB_VALIDATION_INFO (section 2.5)). The next field, in bytes 0x22 through 0x25, is the cbBufferSize field, containing a little-endian value of 0x000004B0. Finally, the Offset field, a 64-bit field, is in bytes 0x26 through 0x2D. The offset value here is 0x00000000'00000048. Computing from the beginning of the PACTYPE structure, this indicates that the data for this element is 0x00000016 + 0x00000048, or 0x0000005E.

Following the first PAC_INFO_BUFFER structure are three more PAC_INFO_BUFFER structures:

 00000020                                            0a 00                ..
 00000030  00 00 12 00 00 00 f8 04 00 00 00 00 00 00 06 00  ................
 00000040  00 00 14 00 00 00 10 05 00 00 00 00 00 00 07 00  ................
 00000050  00 00 14 00 00 00 28 05 00 00 00 00 00 00        ......(.......

These correspond to PAC_INFO_BUFFER structures with ulType 0x0000000A, 0x00000006, and 0x00000007, or client information (see PAC_CLIENT_INFO (section 2.7)) and two signature data structures (see PAC_SIGNATURE_DATA (section 2.8)) , respectively. They point to the actual contents at offset (0x00000016 + 0x000004F8), (0x00000016 + 0x00000510), and (0x00000016+0x00000528).

Show: