This is a fork of the great strings2 project, with full cross-platform support and modified for similar options to regular strings tool.
- Full cross-platform support: Runs on Linux, macOS (Intel and ARM), Windows. Also should compile and run on another platforms like Android.
- Does not treat newline symbols as part of the string: Original strings2 treats newline symbols as part of the string if there was any text right after, and have
-eoption that escaped newline symbols in output (without it it just prints as multi-line string, which can then lead to confusion when grepping results with string offsets later, since only first string before line terminator will have printed offset). This version follows traditionalstringsbehavior by treating newline characters as string terminators. This makes the output cleaner and more predictable. - Removed options for process scanning: This falls out of scope of a simple strings extraction tool and is better done via chaining with another command.
- Streamlined options: Command-line options have been refined to align more closely with traditional
stringswhile maintaining the advanced features ofstrings2
The only dependency is CMake:
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release ..
makeThe binary will be in the build directory named strings2.
Cross-compile using MinGW:
mkdir build-win
cd build-win
x86_64-w64-mingw32-cmake -DCMAKE_EXE_LINKER_FLAGS="-static-libgcc -static-libstdc++ -static -w -s" ..
makeDump all strings from malware.exe to stdout:
strings2 malware.exeDump all strings from all .exe files in the files folder to the file strings.txt:
strings2 ./files/*.exe > strings.txtDump all strings from a block device via pipes, printing offsets for each found string:
dd if=/dev/sda | strings2 -sFor more performant processing of large files like disk images (useful for data recovery or forensic purposes), you can use included python script that runs strings2 in parallel on multiple file chunks that are fed into strings2 with dd:
python strings2-parallel.py image.ddUsage: strings2 [option(s)] [file(s)]
Strings2 extracts all unicode/ascii strings from binary [file(s)] (stdin by default).
On top of the classical strings approach, this version decodes multilingual strings (eg Chinese, Russian, etc) and uses a ML model to suppress noisy uninteresting strings.
Flags:
-f, --print-file-name Print the file path for each string
-s, --print-span Print the file offset span of each string
-o, --offset OFFSET Add offset to all found string offsets. Useful when passing chunks of one file in multiple threads via stdin
-a, --all Print both interesting and not interesting strings
-n, --not-interesting Print only not interesting strings
-w, --wide Print only wide strings
-u, --utf Print only UTF-8 strings
-t, --print-string-type Print the string type
-j, --json Write output as JSON
-l, --min-chars NUM Minimum number of characters (default: 4)
-b, --byte-range RANGE Scan only the specified byte range (start[:end])
-h, --help Display this help
-v, --version Display version informationStrings2 is a Windows command-line tool for extracting strings from binary data. On top of the classic Sysinternals strings approach, this tool includes:
- Multi-lingual string extraction, such as Russian, Chinese, etc.
- Machine learning model filters out junk erroneous string extractions to reduce noise.
- String extractions from process memory.
- Recursive and wildcard filename matching.
- Json output option for automation integration. (Also see python module version binary2strings)
I also recommend looking at FLOSS from Mandiant a cross-platform string extraction solver with a different set of features.