LinuxCommandLibrary

strings

Find printable strings in binary files

TLDR

Print all strings in a binary

$ strings [path/to/file]
copy

Limit results to strings at least n characters long
$ strings [[-n|--bytes]] [n] [path/to/file]
copy

Prefix each result with its offset within the file
$ strings [[-t|--radix]] d [path/to/file]
copy

Prefix each result with its offset within the file in hexadecimal
$ strings [[-t|--radix]] x [path/to/file]
copy

SYNOPSIS

strings [options] [file...]

PARAMETERS

-a, --all
    Scan the entire file, not just initialized data sections within object files.

-f, --print-file-name
    Print the name of the file before each string found.

-n number, --bytes=number
    Look for sequences of at least number printable characters (default is 4).

-o
    Same as -t d. Print the offset of each string in the file in decimal.

-t format, --radix=format
    Print the offset of each string in the specified format: o (octal), x (hexadecimal), or d (decimal).

-e encoding, --encoding=encoding
    Select the character encoding. Common options include: s (7-bit ASCII), S (8-bit ASCII), b (16-bit big-endian Unicode), l (16-bit little-endian Unicode), B (32-bit big-endian Unicode), L (32-bit little-endian Unicode).

--help
    Display a help message and exit.

--version
    Display version information and exit.

DESCRIPTION

The strings Linux command is a utility designed to extract sequences of printable characters from binary files, such as executables, object files, core dumps, or raw data files. By default, it searches for sequences of at least four printable characters terminated by a newline or null character. It is an invaluable tool for reverse engineering, digital forensics, and debugging, as it can reveal embedded text messages, version numbers, configuration strings, URLs, or error messages that are otherwise hidden within non-textual data. For instance, one might use it to quickly identify copyright notices or internal command strings in an unfamiliar binary. strings can search across an entire file or limit its scan to specific initialized data sections of object files. It also supports various character encodings, including different byte orders for Unicode, making it versatile for inspecting diverse data types. While simple, its power lies in providing a quick glimpse into the human-readable content potentially contained within compiled code or arbitrary data streams, offering crucial clues without requiring complex disassemblers or debuggers.

CAVEATS

The output can be voluminous, often requiring piping to filtering commands like grep.
It may produce false positives by interpreting random byte sequences as valid strings.
It does not understand data structures or context, only raw byte patterns matching printable characters.
It might miss strings if they don't adhere to the specified length, encoding, or termination criteria.

COMMON USAGE EXAMPLES


1. Find all strings in a binary:
strings /bin/ls

2. Find strings of at least 8 characters:
strings -n 8 /usr/bin/firefox

3. Print filename and offset for each string in hex:
strings -f -t x /bin/bash

4. Search for 16-bit little-endian (UTF-16LE) strings in a core dump:
strings -e l core_dump.img

5. Filter strings from an entire file (including data sections):
strings -a /usr/lib/libc.so.6 | grep "GLIBC"

HISTORY

The strings command has been a standard utility in Unix-like operating systems for decades. It is typically part of the GNU Binutils package on Linux distributions, which provides a collection of binary tools. Its core functionality has remained consistent, focusing on its role as a fundamental tool for inspecting binary files for embedded text data, predating many specialized reverse engineering tools.

SEE ALSO

grep(1), hexdump(1), od(1), objdump(1), readelf(1), xxd(1)

Copied to clipboard