LinuxCommandLibrary

strings

Find printable strings in binary files

TLDR

Print all strings in a binary

$ strings [path/to/file]
copy

Limit results to strings at least n characters long
$ strings -n [n] [path/to/file]
copy

Prefix each result with its offset within the file
$ strings -t d [path/to/file]
copy

Prefix each result with its offset within the file in hexadecimal
$ strings -t x [path/to/file]
copy

SYNOPSIS

strings [options] file(s)

PARAMETERS

-a or --all
    Scan the entire file, regardless of section headers.

-f or --print-file-name
    Print the name of the file before each string.

-n length or -min-len=length
    Specify the minimum string length (default is usually 4).

-t radix or --radix=radix
    Show the offset within the file before each string. radix can be 'o' (octal), 'x' (hexadecimal), or 'd' (decimal).

-e encoding or --encoding=encoding
    Select a character encoding ('s' for single-7-bit-byte, 'S' for single-8-bit-byte, 'b' for 16-bit big-endian, 'l' for 16-bit little-endian, 'B' for 32-bit big-endian, 'L' for 32-bit little-endian).

-o
    Equivalent to -t o (octal).

-T bfdname or --target=bfdname
    Specify a binary file format (instead of the default ELF).
Useful when processing raw or unknown file formats.

--help
    Display help information.

--version
    Display version information.

@file
    Read options from file.

DESCRIPTION

The strings command in Linux is a utility used to extract and display printable character sequences embedded within binary files or other non-text files. This is useful for identifying potentially human-readable text within executables, object files, libraries, core dumps, and other data files. By default, it searches for ASCII strings of at least a certain length (usually 4 characters). The command can be customized to search for different character encodings and minimum string lengths, aiding in tasks such as reverse engineering, malware analysis, and simply understanding the contents of unfamiliar files. It ignores non-printable characters and often reveals important information like error messages, version strings, or configuration settings hidden within the file.

CAVEATS

The strings command relies on heuristics to identify printable strings. It may produce false positives (sequences of bytes that appear to be strings but are not meaningful). The results are only as good as the minimum length and encoding settings used.

USE CASES

Malware Analysis: Analyzing malware samples for embedded URLs, function names, or configuration settings.
Reverse Engineering: Examining compiled programs to understand their functionality.
Data Recovery: Extracting potentially recoverable text from corrupted files or disk images.
Configuration File Analysis: Inspecting configuration files to see unencrypted data or hidden settings.
Software Version Identification: Finding the version information compiled into executables.

HISTORY

The strings command has been a part of Unix-like operating systems for a long time, dating back to early versions of Unix. It has evolved over time, with improvements in encoding support and option handling to handle a wider variety of file formats and character sets. Its basic functionality, however, has remained consistent: to extract human-readable text from binary files.

SEE ALSO

nm(1), objdump(1), readelf(1)

Copied to clipboard