it's odd, innit? you start to explore and go "uh, duh, _that's_ what that's for". there are a number of places in the NT services that i network-reverse-engineered six years ago where i was thinking, "hm, that's not NDR-formatted..." and had to continue anyway bumbling along. the areas i encountered which were most definitely _not_ NDR-formatted, despite appearances, were: 1) Security Descriptors 2) Spoolss (spoolss.idl) Data Structures (usually in case statements with horribly large unions) 3) Service Control Manager (svcctl.idl) security descriptors that i encountered contained relative offsets of members in the structure where it _mattered_ what the offset value was, and the same thing i encountered in spoolss data. unlike NDR, pointers are tokens: if it's non-zero, it's a pointer, and the data can be "expected" at a known point because the order in which structures are added is well-defined. [no i know i haven't mentioned the difference between ptr and unique] what i believe may be being used is "transmit_as" - see an example code from entegrity.com at: http://support.entegrity.com/private/doclib/docs/osfhtm/develop/apgstyle/Apg... so, to follow the guidance and examples at the above link, to send a Security Descriptor you would create this: typedef struct { int size; [ptr, size_is(size)] *security_descriptor_blob; } SECURITY_DESCRIPTOR_BLOB; then you would do this typedef [transmit_as(SECURITY_DESCRIPTOR_BLOB)] PSECURITY_DESCRIPTOR; and then, magically, you can do THIS: NTSTATUS SamrGetSecurityDescriptor(handle_t *hnd, [in, ref] PSECURITY_DESCRIPTOR); and in the server-side thing you'd define: void PSECURITY_DESCRIPTOR_to_xmit(PSECURITY_DESCRIPTOR *sec_des, SECURITY_DESCRIPTOR_BLOB *blob) { blob->size = get_security_descriptor_actual_size(sec_des); blob->data = malloc(blob_size); memcpy(blob->data, get_security_descriptor_blob(sec_des), blob->size); } not forgetting to do this! void PSECURITY_DESCRIPTOR_free_xmit( SECURITY_DESCRIPTOR_BLOB *blob) { free(blob->data); } and i think that's just _so_ cool. only took six years to realise it's possible. ... and i'd be fascinated to know if it's _right_ :) l. -- -- <a href="http://lkcl.net">http://lkcl.net</a> --