It is recommended to use the default preset and let it run once, which will extract your whole System32 folder. Afterwards you can use this file to check for the existence of any string (doesn't mean that it's a DWORD). Use WPR or IDA for it (e.g. wpr-reg-records). This tool should be used to search the binary file for a specific string or to check whether a string exists anywhere.
Preview:
stringext.mp4
| Option | Description |
|---|---|
Filter Strings |
Removes unreadable characters or random sequences like 聪;整王, 혀+혔+, 곽TSa. |
Min String Length |
Sets the minimum number of characters a string must have to be included (default 4).Prevents clutter by filtering out very short strings like Fxt, fyl, fy-. Avoid setting too high, or you may miss relevant data. |
Recurse |
ON: Processes all subdirectories (e.g., scans C:\Windows\System32\DriverStore and all its folders).OFF: Processes only files directly in the selected folder (e.g., just C:\Windows\System32\). |
dumpbin.exe |
Displays detailed information about COFF binaries such as DLL, EXE, and LIB files. |
Preconfigured Flags |
OFF: Uses all detailed flags:/HEADERS, /ARCHIVEMEMBERS, /EXPORTS, /IMPORTS, /SYMBOLS, /LINENUMBERS, /RAWDATA, /RELOCATIONS, /TLS, /SUMMARY, /CLRHEADER, /LOADCONFIG, /DIRECTIVES, /PDATA, /DEBUGDIRECTORIES, /FPO, /PDBPATH.ON: Uses a minimal set of flags to reduce size: /ARCHIVEMEMBERS, /CLRHEADER, /DEPENDENTS, /EXPORTS, /IMPORTS, /SUMMARY, /SYMBOLS, /DIRECTIVES.Full reference: DUMPBIN options |
One File |
Combines all strings into a single file rather than creating a separate file for each input file. Uses the -f flag to include the filename with the string, e.g.:C:\Windows\System32/ntoskrnl.exe,ReservedCpuSets |
P |
Sets a specific process ID (PID) for analysis. Note: Works only when One File is turned OFF. |
- Turning off
Preconfigured Dumpbin Flagsincreases the execution time by a lot - should only be changed if single files are extracted - It is recommended to use
One File, as it speeds up the process and it'll be easier to search for strings dumpbin.exedisplays information about COFF binary files like DLLs, EXEs, and LIBs- String length size should stay at
3-5
Strings2 is a Windows command-line tool for extracting strings from binary data. On top of the classic Sysinternals strings approach, this tool includes:
- Multi-lingual string extraction, such as Russian, Chinese, etc.
- Machine learning model filters out junk erroneous string extractions to reduce noise.
- String extractions from process memory.
- Recursive and wildcard filename matching.
- Json output option for automation integration. (Also see python module version binary2strings)
I also recommend looking at FLOSS from Mandiant a cross-platform string extraction solver with a different set of features.
Dump all strings from malware.exe to stdout:
strings2 malware.exe
Dump all strings from all .exe files in the files folder to the file strings.txt:
strings2 ./files/*.exe > strings.txt
Dump strings from a specific process id, including logging the module name and memory addresses of each match:
strings2 -f -s -pid 0x1a3 > process_strings.txt
Extract strings from malware.exe to a json file:
strings2 malware.exe -json > strings.json
strings.exe (options) file_pattern
file_pattern can be a folder or file. Wildcards (*) are supported in the filename parts - eg .\files\*.exe.
| Option | Description |
|---|---|
| -r | Recursively process subdirectories. |
| -f | Prints the filename/processname for each string. |
| -F | Prints the full path and filename for each string. |
| -s | Prints the file offset or memory address span of each string. |
| -t | Prints the string type for each string. UTF8, or WIDE_STRING. |
| -wide | Prints only WIDE_STRING strings that are encoded as two bytes per character. |
| -utf | Prints only UTF8 encoded strings. |
| -a | Prints both interesting and not interesting strings. Default only prints interesting non-junk strings. |
| -ni | Prints only not interesting strings. Default only prints interesting non-junk strings. |
| -e | Escape new line characters. |
| -l [num_chars] | Minimum number of characters that is a valid string. Default is 4. |
| -b [start](:[end]) | Scan only the specified byte range for strings. Optionally specify an end offset as well. |
| -pid [pid] | The strings from the process address space for the specified PID will be dumped. Use a '0x' prefix to specify a hex PID. |
| -system | Dumps strings from all accessible processes on the system. This takes awhile. |
| -json | Writes output as json. Many flags are ignored in this mode. |
https://learn.microsoft.com/en-us/cpp/build/reference/dumpbin-options?view=msvc-170
https://learn.microsoft.com/en-us/sysinternals/downloads/strings
https://visualstudio.microsoft.com/ (mspdbcore.dll,tbbmalloc.dll,link.exe,dumpbin.exe)