Malware String Analysis Part 1 - Getting the Strings

String analysis can be very useful when it comes to researching and gathering information on suspicious or unknown files. There is all different kinds of information that can be gathered from the strings of a file, and there are of course any number of ways to obtain and process this information. In this "part 1" i'm going to go over some of the more common ways to extract the strings from a file.

If you are doing your research on a windows machine, one of the easiest ways to extract the strings of a file is to use the Sysinternals tool Strings. I like to run application against files with a batch file in the "send to" folder. This allows me to simply right click on the file in question and click "send to", then, Strings". As instructed by my batch file, the app pushes the extracted strings into a txt file for me. You can set your research box up in a similar fashion by doing the following:

click start, run, the type "sendto"

This will open the sendto folder. Right click, "new", "text document". Here's what I use, but you could of course modify as you like:

strings -a %1 >"C:\strings.txt"
"C:\strings.txt"
exit

Make sure you save the file with the extension .bat, and not .txt. Strings.bat is a pretty good name.

As stated on the man page on in the link above, there are various options you can use with the Strings command:

Using Strings

Usage: strings.exe [-a] [-b bytes] [-n length] [-o] [-q] [-s] [-u]

Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:

-s	Recurse subdirectories.
-o	Print offset in file string is located.
-a	Scan for ASCII only.
-u	Scan for UNICODE only.
-b bytes	Bytes of file to scan.
-n X	Strings must be a minimum of X characters in length.

To search one or more files for the presence of a particular string using strings use a command like this:

strings * | findstr /i TextToSearchFor

Using the above method you should be able to extract the strings of a file pretty quickly with out much of a hassle.

If you want to do the same on Linux, chances are that you already have the necessary tool. If you type "strings" at the command prompt you know pretty quickly. In order to get this working the same as the Sysinternals tool you will need to add some extra arguments as its defualt output is pretty raw. I'm not entierly sure what those are as I usually just rip the strings off my windows research box, but if anyone know the equivilant command please post it up.

Really basic stuff, but there is all kinds of interesting things that can come from those strings. Next time we'll looks at some output files and a cool tool called Yara, that helps parse the strings all quick like.