strings Command

The strings command extracts printable character sequences from binary files. It searches through files and displays sequences of printable characters that are at least 4 characters long by default, making it useful for analyzing binary files, executables, and other non-text files.

Syntax

strings [OPTIONS] [FILES...]

Description

The strings command is part of the GNU Binutils package and is used to extract readable text from binary files. It scans files for sequences of printable characters and displays them, which is particularly useful for reverse engineering, malware analysis, and understanding the contents of compiled programs.

Key features:

  • Extract printable strings from binary files
  • Configurable minimum string length
  • Support for different character encodings
  • Display file offsets for located strings
  • Filter strings by various criteria
  • Process multiple files simultaneously
Note: By default, strings looks for sequences of at least 4 printable characters. This can be adjusted with the -n option.

Common Options

Option Description
-n min-len Set minimum string length (default is 4)
-o Display offset of each string in the file
-t format Display offset in specified format (o=octal, d=decimal, x=hex)
-f Display filename before each string
-a Scan entire file (default for non-object files)
-d Scan only initialized data sections of object files
-e encoding Select character encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian)
-T bfdname Specify object file format
-w Include whitespace as valid string characters
--help Display help message
--version Display version information

Examples

Basic string extraction

strings /bin/ls

Extract all printable strings from the ls binary

Set minimum string length

strings -n 8 /bin/ls

Show only strings that are 8 characters or longer

Display file offsets

strings -o /bin/ls

Show the offset of each string in the file

Display offsets in hexadecimal

strings -t x /bin/ls

Show offsets in hexadecimal format

Include filename in output

strings -f /bin/* | head -20

Show filename before each string when processing multiple files

Search for specific patterns

strings /bin/ls | grep -i error

Extract strings and filter for error messages

Analyze with different encodings

strings -e l /path/to/file

Extract 16-bit little-endian strings

Save output to file

strings -n 6 /bin/ls > ls_strings.txt

Save extracted strings to a file

Understanding strings Output

Basic Output Format

$ strings -n 6 /bin/echo /lib64/ld-linux-x86-64.so.2 libc.so.6 puts __cxa_finalize __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ Usage: %s [OPTION]... [STRING]... Echo the STRINGs to standard output. display this help and exit output version information and exit

Example output showing various strings found in the echo binary

Output with Offsets

$ strings -o -n 10 /bin/echo | head -10 664 /lib64/ld-linux-x86-64.so.2 4104 libc.so.6 4120 __cxa_finalize 4139 __libc_start_main 4157 GLIBC_2.2.5 4169 _ITM_deregisterTMCloneTable 4193 __gmon_start__ 4208 _ITM_registerTMCloneTable 8304 Usage: %s [OPTION]... [STRING]... 8340 Echo the STRINGs to standard output.

Output showing decimal offsets where strings are located

Output with Filenames

$ strings -f -n 15 /bin/echo /bin/cat | head -5 /bin/echo: /lib64/ld-linux-x86-64.so.2 /bin/echo: __cxa_finalize /bin/echo: __libc_start_main /bin/echo: _ITM_deregisterTMCloneTable /bin/echo: _ITM_registerTMCloneTable

Output showing filenames when processing multiple files

Practical Use Cases

Reverse Engineering

Analyze binary executables

# Extract strings from executable strings -n 8 /path/to/binary # Look for function names and error messages strings /path/to/binary | grep -E "(error|warning|debug)" # Find version information strings /path/to/binary | grep -i version

Analyze compiled programs to understand functionality

Find embedded URLs and paths

# Look for URLs strings /path/to/binary | grep -E "https?://" # Find file paths strings /path/to/binary | grep -E "^/" # Look for configuration files strings /path/to/binary | grep -E "\.(conf|cfg|ini|xml|json)$"

Extract embedded URLs, file paths, and configuration references

Security Analysis

Malware analysis

# Extract strings from suspicious file strings -n 6 suspicious_file > strings_output.txt # Look for suspicious patterns strings suspicious_file | grep -i -E "(password|key|crypto|backdoor)" # Find network indicators strings suspicious_file | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}"

Analyze potentially malicious files for indicators

Find hardcoded credentials

# Look for potential passwords strings /path/to/binary | grep -i -E "(password|passwd|pwd|secret|key)" # Find database connection strings strings /path/to/binary | grep -i -E "(database|mysql|postgres|mongodb)" # Look for API keys strings /path/to/binary | grep -E "[A-Za-z0-9]{20,}"

Search for hardcoded credentials and sensitive information

File Format Analysis

Analyze unknown file formats

# Extract strings from unknown file strings -a unknown_file # Look for file format signatures strings unknown_file | head -10 # Find metadata strings unknown_file | grep -i -E "(author|creator|software|version)"

Understand unknown file formats by examining embedded strings

Extract metadata from images

# Extract strings from image files strings image.jpg | grep -i -E "(camera|software|date|gps)" # Look for EXIF data strings -n 3 image.jpg | grep -E "[0-9]{4}:[0-9]{2}:[0-9]{2}" # Find embedded comments strings image.jpg | grep -i comment

Extract metadata and embedded information from image files

Advanced Usage

Character Encoding Options

Different encoding formats

# 7-bit ASCII (default) strings -e s /path/to/file # 8-bit ASCII strings -e S /path/to/file # 16-bit big-endian strings -e b /path/to/file # 16-bit little-endian strings -e l /path/to/file

Extract strings using different character encodings

Object File Analysis

Analyze specific sections

# Scan only data sections strings -d /path/to/object.o # Scan entire file strings -a /path/to/object.o # Specify object format strings -T elf32-i386 /path/to/file

Analyze specific sections of object files

Filtering and Processing

Advanced filtering

# Filter by length and content strings -n 10 /bin/ls | grep -v "^[[:space:]]*$" | sort -u # Find strings with specific patterns strings /path/to/file | grep -E "^[A-Z][a-z]+$" # Extract only printable ASCII strings /path/to/file | grep -E "^[[:print:]]+$"

Apply advanced filtering to extracted strings

Statistical analysis

# Count strings by length strings /bin/ls | awk '{print length}' | sort -n | uniq -c # Most common strings strings /bin/ls | sort | uniq -c | sort -nr | head -10 # Character frequency analysis strings /bin/ls | tr -d '\n' | fold -w1 | sort | uniq -c | sort -nr

Perform statistical analysis on extracted strings

Scripting Examples

Automated Analysis Scripts

Binary analysis script

#!/bin/bash BINARY="$1" if [ -z "$BINARY" ]; then echo "Usage: $0 " exit 1 fi echo "=== Binary Analysis: $BINARY ===" echo "File type: $(file "$BINARY")" echo "Size: $(stat -c%s "$BINARY") bytes" echo echo "=== String Statistics ===" TOTAL=$(strings "$BINARY" | wc -l) LONG=$(strings -n 20 "$BINARY" | wc -l) echo "Total strings: $TOTAL" echo "Long strings (20+ chars): $LONG" echo echo "=== Interesting Strings ===" echo "URLs:" strings "$BINARY" | grep -E "https?://" | head -5 echo echo "File paths:" strings "$BINARY" | grep -E "^/" | head -5 echo echo "Potential errors:" strings "$BINARY" | grep -i error | head -3

Comprehensive binary analysis script

Malware triage script

#!/bin/bash SAMPLE="$1" OUTPUT_DIR="analysis_$(basename "$SAMPLE")_$(date +%Y%m%d_%H%M%S)" mkdir -p "$OUTPUT_DIR" echo "Analyzing: $SAMPLE" echo "Output directory: $OUTPUT_DIR" # Extract all strings strings -n 4 "$SAMPLE" > "$OUTPUT_DIR/all_strings.txt" # Extract long strings strings -n 15 "$SAMPLE" > "$OUTPUT_DIR/long_strings.txt" # Look for indicators strings "$SAMPLE" | grep -i -E "(password|key|crypto)" > "$OUTPUT_DIR/crypto_strings.txt" strings "$SAMPLE" | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" > "$OUTPUT_DIR/ip_addresses.txt" strings "$SAMPLE" | grep -E "https?://" > "$OUTPUT_DIR/urls.txt "> echo "Analysis complete. Results saved in: $OUTPUT_DIR"

Automated malware triage and string extraction

Troubleshooting

Common Issues

No strings found

# Check if file exists and is readable ls -la /path/to/file # Try with lower minimum length strings -n 1 /path/to/file # Try different encodings strings -e l /path/to/file # 16-bit little-endian strings -e b /path/to/file # 16-bit big-endian

Troubleshoot when no strings are extracted

Too many strings

# Increase minimum length strings -n 10 /path/to/file # Filter out common patterns strings /path/to/file | grep -v -E "^[[:space:]]*$|^.$" # Focus on meaningful strings strings /path/to/file | grep -E "[a-zA-Z]{5,}"

Handle cases with too much output

Binary format issues

# Check file format file /path/to/file # Force scanning entire file strings -a /path/to/file # Try different object formats strings -T elf64-x86-64 /path/to/file

Handle different binary formats and architectures

Best Practices

strings Command Best Practices
  • Set Appropriate Length - Use -n to filter out noise and focus on meaningful strings
  • Use Offsets - Include -o or -t options to locate strings within files
  • Try Different Encodings - Test various character encodings for comprehensive analysis
  • Combine with Other Tools - Use with grep, sort, and uniq for better analysis
  • Save Results - Store output for later analysis and comparison
  • Security Considerations - Be cautious when analyzing potentially malicious files

See also