Search for ANSI and UNICODE strings in binary files.
Syntax
STRINGS [-a] [-f offset] [-b bytes] [-n length] [-o] [-q] [-s]
[-u] file_or_directory
Key
-a Ascii-only search (Unicode and Ascii is default)
-b Bytes of file to scan
-f File offset at which to start scanning.
-o Print offset in file string was located
-n Minimum string length (default is 3)
-q Quiet (no banner)
-s Recurse subdirectories
-u Unicode-only search (Unicode and Ascii is default)
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
If you run strings on a .jpg and it includes: 'This program cannot be run in DOS mode' that indicates, it is an executable, not a JPEG. Malware authors often disguise portable executables that end in .gif/.jpg/etc to evade human checks. source: Jessica Payne [MSFT]
When installing strings.exe just ensure it is placed somewhere in either the system PATH or in the current directory. Strings64.exe is the 64 bit version.
Because strings will scan through the entirety of a binary file it can be useful for finding undocumented command line options.
Export the Unicode and ASCII content of an executable file to a csv file:
C:\> strings64.exe -q demo.exe > demo.csv
Search a jpg file for signs of executable code:
C:\> strings.exe sample.jpg | findstr /i /c:"This program cannot be run in DOS mode"
Search multiple DLL files for the string 'quiet':
C:\> strings *.dll | findstr /i quiet
“My advice is, don’t spend money on therapy. Spend it in a record store” ~ Wim Wenders
ANSI colors - Use ANSI colors in the terminal.
FINDSTR - Search for strings in files.
TYPE - Display the contents of a text file.
BinText 3.0 - Free GUI utility, search/extract text from binary files.