How to Use the strings Command on Linux

Linux terminal on a laptopFatmawati Achmad Zaenuri / Shutterstock.com

Want to see the text in a binary or data file? The Linux strings command extracts these bits of text (called "strings") for you.

Linux is full of commands that can look like solutions in search of problems. The command of ropes definitely falls in this camp. Just what is his purpose? Is there a point to a command that lists printable strings from a binary file?

Let's take a step back. Binaries, such as program files, can contain strings of human-readable text. But how can you see them? If you use chat or less, you may end up with a terminal window hanging. Programs designed to work with text files do not work well if non-printable characters are introduced.

Most bytes of a binary file are not human readable and can not be printed in the terminal window in a way that makes sense. There are no standard characters or symbols to represent binary values ​​that do not match alphanumeric characters, punctuation or spaces. Collectively, these characters are called "printable" characters. The others are "non-printable" characters.

It is therefore difficult to display or search text strings in a binary file or a data file. And that's where the strings come in. He extracts printable character strings from files so that other commands can use strings without having to deal with non-printable characters.

Using the strings command

The strings command is not complicated, and its basic use is very simple. We provide the name of the file we want the strings to search on the command line.

Here we will use strings on a binary file – an executable file – called "jibber". We type strings, a space, "jibber" and press Enter.

jibber strings

jibber of strings in a terminal window

The strings are extracted from the file and listed in the terminal window.

output of strings in a terminal window

Definition of the minimum length of the chain

By default, strings look for strings of four or more characters. To set a minimum length that is longer or shorter, use the -n option (minimum length).

Note that the shorter the length, the more likely you will see more junk.

Some binary values ​​have the same numeric value as the value that represents a printable character. If two of these numeric values ​​are side by side in the file and you specify a minimum length of two, these bytes will be reported as if it were a string.

To have the strings use two as the minimum length, use the following command.

strings -n 2 jibber

strings -n 2 jibber in a terminal window

We now have two-letter strings included in the results. Note that spaces are counted as a printable character.

output of strings with two strings of letters in a terminal window

Ropes pass less

Because of the length of the output of the channels, we will make it pass less. We can then scroll through the file looking for interesting text.

jibber strings | less

jibber strings | less in a terminal window

The list is now presented to us in less, the top of the list being displayed first.

output of less channels in a terminal window

Using strings with object files

Typically, the program's source code files are compiled into object files. These are linked to the library files to create a binary executable file. We have the jibber object file on hand, so let's look inside this file. Note the ".o" file extension.

jibber.o | less

jibber.o | less in a terminal window

The first set of strings is all that is encapsulated in the eighth column if it has more than eight characters. If they were encapsulated, an "H" character appears in the nine column. You can recognize these strings as SQL statements.

output of less channels in a terminal window

Scrolling the output reveals that this formatting is not used throughout the file.

output of less channels in a terminal window

It is interesting to see the differences in the text strings between the object file and the executable completed.

Search in specific areas of the file

Compiled programs have in them different domains used to store text. By default, strings search for text throughout the file. It's as if you had used the -a option (all). For strings to look only in the initialized and loaded data sections of the file, use the -d (data) option.

jibber-strings | less

jibber-strings | less in a terminal window

Unless otherwise noted, you can also use the default setting and search the entire file.

Chain offset printing

We can cause the strings to print the offset from the beginning of the file where each string is located. To do this, use the -o (offset) option.

chains -o parse_phrases | less

chains -o parse_phrases | less

The offset is given in octal.

strings with the octal shift in a terminal window

For the offset to be displayed in a different numeric base, such as decimal or hexadecimal, use the -t (radix) option. The basic option must be followed by d (decimal), X (hexadecimal) or o (octal). Use -t o returns to use -o.

chains -t d parse_phrases | less

chains -t d parse_phrases | less in a terminal window

The offsets are now printed in decimal.

outputting strings with decimal offsets in a terminal window

strings -t x parse_phrases | less

strings -t x parse_phrases | less in a terminal window

Offsets are now printed in hexadecimal.

string output with hex offsets in a terminal window

Including spaces

Strings consider that tab and space characters are part of the found strings. Other space characters, such as line breaks and line breaks, are not treated as if they were part of the strings. The -w (spaces) option causes strings to treat all space characters as if they were part of the string.

chains -w add_data | less

chains -w add_data | less in a terminal window

We can see the empty line in the output, result of the line return (invisible) and new line characters at the end of the second line.

output of strings in a terminal window

We are not limited to files

We can use strings with anything that is, or can produce, a stream of bytes.

With this command, we can look through the RAM (RAM) of our computer.

We need to use sudo because we access / dev / mem. This is a character device file that contains an image of the main memory of your computer.

sudo / dev / mem chains | less

sudo / dev / mem chains | less in a terminal window

The list does not represent all the contents of your RAM. These are just the chains that can be extracted.

output of less channels in a terminal window

RELATED: What does "everything is a file" mean in Linux?

Simultaneous search for multiple files

Wildcards can be used to select groups of files to search. The * character represents several characters and the symbol? the character represents any simple character. You can also choose to provide multiple file names on the command line.

We will use a wildcard and search in all executable files in the / bin directory. Since the list will contain the results of many files, we will use the -f option (file name). This will print the file name at the beginning of each line. We can then see in which file each string was found.

We are analyzing the results grepand looking for strings containing the word "Copyright".

chains -f / bin / * | grep Copyright

chains -f / bin / * | grep Copyright in a terminal window

We get a careful list of copyright statements for each file in the / bin directory, with the file name at the beginning of each line.

chains output showing copyright statements in a terminal window

untangled ropes

There is no mystery in the ropes; it's a typical Linux drive. He does something very specific and does it very well.

This is another of the nuts and bolts of Linux, and comes alive when it works with other commands. When you see how it can sit between binary files and other tools such as grep, you start to appreciate the features of this slightly obscure command.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.