# File strings

## Strings

* Any sequence of printable characters is a **string**
* We can use strings to get hints about the functionality of a program.
  * Accesses a URL
  * Opens another program

### Technical Details

* Strings are terminated by a null byte (0x00)
* [ASCII](http://www.asciitable.com) characters are 8 bits long
  * Now called ANSI

![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF81GXhYbtVMhZnj-vy%2F-MF81gONo6_sLfTA1svv%2F140-1.png?alt=media\&token=f42f9f21-a8f6-429f-abf7-86a7f4dbc41b)

* Unicode characters are 16 bits long
  * Microsoft calls them "wide characters"

![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF81GXhYbtVMhZnj-vy%2F-MF81jcNYYR_DJ59qxPW%2F140-2.png?alt=media\&token=6032d9bb-39ac-4517-b42a-6bc2e4333875)

### The strings command

* Native in Linux, also available for Windows
* Ignores context and formatting
  * can analyze any file type and detect strings across an entire file
    * Can result in false positive (instructions, addresses, etc.)
* Finds all strings in a file 3 or more characters long

#### For Windows

* Bold items can be ignored
* GetLayout and SetLayout are Windows functions
* GDI32.DLL is a Dynamic Link Library

![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF81GXhYbtVMhZnj-vy%2F-MF81jcOrInqc-9jHE0u%2F140-3.png?alt=media\&token=1fd45d1b-73a3-4426-a9e2-d4cbe6b6f4f3)

### Can we always rely on strings?

* Legitimate programs usually include many strings.
* Malware that is packed or obfuscated contains very few strings.
* If upon searching a program with Strings, you find that it has only a few strings, it is probably either obfuscated or packed, suggesting that it may be malicious.
* You’ll likely need to throw more than static analysis at it in order to investigate further