strings Command
The strings command extracts printable character sequences from binary files. It searches through files and displays sequences of printable characters that are at least 4 characters long by default, making it useful for analyzing binary files, executables, and other non-text files.
Syntax
strings [OPTIONS] [FILES...]
Description
The strings command is part of the GNU Binutils package and is used to extract readable text from binary files. It scans files for sequences of printable characters and displays them, which is particularly useful for reverse engineering, malware analysis, and understanding the contents of compiled programs.
Key features:
- Extract printable strings from binary files
- Configurable minimum string length
- Support for different character encodings
- Display file offsets for located strings
- Filter strings by various criteria
- Process multiple files simultaneously
Note: By default, strings looks for sequences of at least 4 printable characters. This can be adjusted with the -n option.
Common Options
| Option |
Description |
-n min-len |
Set minimum string length (default is 4) |
-o |
Display offset of each string in the file |
-t format |
Display offset in specified format (o=octal, d=decimal, x=hex) |
-f |
Display filename before each string |
-a |
Scan entire file (default for non-object files) |
-d |
Scan only initialized data sections of object files |
-e encoding |
Select character encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian) |
-T bfdname |
Specify object file format |
-w |
Include whitespace as valid string characters |
--help |
Display help message |
--version |
Display version information |
Examples
Basic string extraction
strings /bin/ls
Extract all printable strings from the ls binary
Set minimum string length
strings -n 8 /bin/ls
Show only strings that are 8 characters or longer
Display file offsets
strings -o /bin/ls
Show the offset of each string in the file
Display offsets in hexadecimal
strings -t x /bin/ls
Show offsets in hexadecimal format
Include filename in output
strings -f /bin/* | head -20
Show filename before each string when processing multiple files
Search for specific patterns
strings /bin/ls | grep -i error
Extract strings and filter for error messages
Analyze with different encodings
strings -e l /path/to/file
Extract 16-bit little-endian strings
Save output to file
strings -n 6 /bin/ls > ls_strings.txt
Save extracted strings to a file
Understanding strings Output
Basic Output Format
$ strings -n 6 /bin/echo
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
Usage: %s [OPTION]... [STRING]...
Echo the STRINGs to standard output.
display this help and exit
output version information and exit
Example output showing various strings found in the echo binary
Output with Offsets
$ strings -o -n 10 /bin/echo | head -10
664 /lib64/ld-linux-x86-64.so.2
4104 libc.so.6
4120 __cxa_finalize
4139 __libc_start_main
4157 GLIBC_2.2.5
4169 _ITM_deregisterTMCloneTable
4193 __gmon_start__
4208 _ITM_registerTMCloneTable
8304 Usage: %s [OPTION]... [STRING]...
8340 Echo the STRINGs to standard output.
Output showing decimal offsets where strings are located
Output with Filenames
$ strings -f -n 15 /bin/echo /bin/cat | head -5
/bin/echo: /lib64/ld-linux-x86-64.so.2
/bin/echo: __cxa_finalize
/bin/echo: __libc_start_main
/bin/echo: _ITM_deregisterTMCloneTable
/bin/echo: _ITM_registerTMCloneTable
Output showing filenames when processing multiple files
Practical Use Cases
Reverse Engineering
Analyze binary executables
# Extract strings from executable
strings -n 8 /path/to/binary
# Look for function names and error messages
strings /path/to/binary | grep -E "(error|warning|debug)"
# Find version information
strings /path/to/binary | grep -i version
Analyze compiled programs to understand functionality
Find embedded URLs and paths
# Look for URLs
strings /path/to/binary | grep -E "https?://"
# Find file paths
strings /path/to/binary | grep -E "^/"
# Look for configuration files
strings /path/to/binary | grep -E "\.(conf|cfg|ini|xml|json)$"
Extract embedded URLs, file paths, and configuration references
Security Analysis
Malware analysis
# Extract strings from suspicious file
strings -n 6 suspicious_file > strings_output.txt
# Look for suspicious patterns
strings suspicious_file | grep -i -E "(password|key|crypto|backdoor)"
# Find network indicators
strings suspicious_file | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}"
Analyze potentially malicious files for indicators
Find hardcoded credentials
# Look for potential passwords
strings /path/to/binary | grep -i -E "(password|passwd|pwd|secret|key)"
# Find database connection strings
strings /path/to/binary | grep -i -E "(database|mysql|postgres|mongodb)"
# Look for API keys
strings /path/to/binary | grep -E "[A-Za-z0-9]{20,}"
Search for hardcoded credentials and sensitive information
File Format Analysis
Analyze unknown file formats
# Extract strings from unknown file
strings -a unknown_file
# Look for file format signatures
strings unknown_file | head -10
# Find metadata
strings unknown_file | grep -i -E "(author|creator|software|version)"
Understand unknown file formats by examining embedded strings
Extract metadata from images
# Extract strings from image files
strings image.jpg | grep -i -E "(camera|software|date|gps)"
# Look for EXIF data
strings -n 3 image.jpg | grep -E "[0-9]{4}:[0-9]{2}:[0-9]{2}"
# Find embedded comments
strings image.jpg | grep -i comment
Extract metadata and embedded information from image files
Advanced Usage
Character Encoding Options
Different encoding formats
# 7-bit ASCII (default)
strings -e s /path/to/file
# 8-bit ASCII
strings -e S /path/to/file
# 16-bit big-endian
strings -e b /path/to/file
# 16-bit little-endian
strings -e l /path/to/file
Extract strings using different character encodings
Object File Analysis
Analyze specific sections
# Scan only data sections
strings -d /path/to/object.o
# Scan entire file
strings -a /path/to/object.o
# Specify object format
strings -T elf32-i386 /path/to/file
Analyze specific sections of object files
Filtering and Processing
Advanced filtering
# Filter by length and content
strings -n 10 /bin/ls | grep -v "^[[:space:]]*$" | sort -u
# Find strings with specific patterns
strings /path/to/file | grep -E "^[A-Z][a-z]+$"
# Extract only printable ASCII
strings /path/to/file | grep -E "^[[:print:]]+$"
Apply advanced filtering to extracted strings
Statistical analysis
# Count strings by length
strings /bin/ls | awk '{print length}' | sort -n | uniq -c
# Most common strings
strings /bin/ls | sort | uniq -c | sort -nr | head -10
# Character frequency analysis
strings /bin/ls | tr -d '\n' | fold -w1 | sort | uniq -c | sort -nr
Perform statistical analysis on extracted strings
Scripting Examples
Automated Analysis Scripts
Binary analysis script
#!/bin/bash
BINARY="$1"
if [ -z "$BINARY" ]; then
echo "Usage: $0 "
exit 1
fi
echo "=== Binary Analysis: $BINARY ==="
echo "File type: $(file "$BINARY")"
echo "Size: $(stat -c%s "$BINARY") bytes"
echo
echo "=== String Statistics ==="
TOTAL=$(strings "$BINARY" | wc -l)
LONG=$(strings -n 20 "$BINARY" | wc -l)
echo "Total strings: $TOTAL"
echo "Long strings (20+ chars): $LONG"
echo
echo "=== Interesting Strings ==="
echo "URLs:"
strings "$BINARY" | grep -E "https?://" | head -5
echo
echo "File paths:"
strings "$BINARY" | grep -E "^/" | head -5
echo
echo "Potential errors:"
strings "$BINARY" | grep -i error | head -3
Comprehensive binary analysis script
Malware triage script
#!/bin/bash
SAMPLE="$1"
OUTPUT_DIR="analysis_$(basename "$SAMPLE")_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
echo "Analyzing: $SAMPLE"
echo "Output directory: $OUTPUT_DIR"
# Extract all strings
strings -n 4 "$SAMPLE" > "$OUTPUT_DIR/all_strings.txt"
# Extract long strings
strings -n 15 "$SAMPLE" > "$OUTPUT_DIR/long_strings.txt"
# Look for indicators
strings "$SAMPLE" | grep -i -E "(password|key|crypto)" > "$OUTPUT_DIR/crypto_strings.txt"
strings "$SAMPLE" | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" > "$OUTPUT_DIR/ip_addresses.txt"
strings "$SAMPLE" | grep -E "https?://" > "$OUTPUT_DIR/urls.txt
">
echo "Analysis complete. Results saved in: $OUTPUT_DIR"
Automated malware triage and string extraction
Troubleshooting
Common Issues
No strings found
# Check if file exists and is readable
ls -la /path/to/file
# Try with lower minimum length
strings -n 1 /path/to/file
# Try different encodings
strings -e l /path/to/file # 16-bit little-endian
strings -e b /path/to/file # 16-bit big-endian
Troubleshoot when no strings are extracted
Too many strings
# Increase minimum length
strings -n 10 /path/to/file
# Filter out common patterns
strings /path/to/file | grep -v -E "^[[:space:]]*$|^.$"
# Focus on meaningful strings
strings /path/to/file | grep -E "[a-zA-Z]{5,}"
Handle cases with too much output
Binary format issues
# Check file format
file /path/to/file
# Force scanning entire file
strings -a /path/to/file
# Try different object formats
strings -T elf64-x86-64 /path/to/file
Handle different binary formats and architectures
Best Practices
strings Command Best Practices
- Set Appropriate Length - Use -n to filter out noise and focus on meaningful strings
- Use Offsets - Include -o or -t options to locate strings within files
- Try Different Encodings - Test various character encodings for comprehensive analysis
- Combine with Other Tools - Use with grep, sort, and uniq for better analysis
- Save Results - Store output for later analysis and comparison
- Security Considerations - Be cautious when analyzing potentially malicious files