File strings


  • Any sequence of printable characters is a string

  • We can use strings to get hints about the functionality of a program.

    • Accesses a URL

    • Opens another program

Technical Details

  • Strings are terminated by a null byte (0x00)

  • ASCII characters are 8 bits long

    • Now called ANSI

  • Unicode characters are 16 bits long

    • Microsoft calls them "wide characters"

The strings command

  • Native in Linux, also available for Windows

  • Ignores context and formatting

    • can analyze any file type and detect strings across an entire file

      • Can result in false positive (instructions, addresses, etc.)

  • Finds all strings in a file 3 or more characters long

For Windows

  • Bold items can be ignored

  • GetLayout and SetLayout are Windows functions

  • GDI32.DLL is a Dynamic Link Library

Can we always rely on strings?

  • Legitimate programs usually include many strings.

  • Malware that is packed or obfuscated contains very few strings.

  • If upon searching a program with Strings, you find that it has only a few strings, it is probably either obfuscated or packed, suggesting that it may be malicious.

  • You’ll likely need to throw more than static analysis at it in order to investigate further

Last updated