bstrings

A better strings utility!

Command Line Interface

bstrings version 1.5.1.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/bstrings

        a               If set, look for ASCII strings. Default is true. Use -a false to disable
        b               Chunk size in MB. Valid range is 1 to 1024. Default is 512
        d               Directory to recursively process. Either this or -f is required
        f               File to search. Either this or -d is required
        m               Minimum string length. Default is 3
        o               File to save results to
        p               Display list of built in regular expressions
        q               Quiet mode (Do not show header or total number of hits)
        s               Really Quiet mode (Do not display hits to console. Speeds up processing when using -o)
        u               If set, look for Unicode strings. Default is true. Use -u false to disable
        x               Maximum string length. Default is unlimited

        ls              String to look for. When set, only matching strings are returned
        lr              Regex to look for. When set, only strings matching the regex are returned
        fs              File containing strings to look for. When set, only matching strings are returned
        fr              File containing regex patterns to look for. When set, only strings matching regex patterns are returned

        ar              Range of characters to search for in 'Code page' strings. Specify as a range of characters in hex format and enclose in quotes. Default is [\x20 -\x7E]
        ur              Range of characters to search for in Unicode strings. Specify as a range of characters in hex format and enclose in quotes. Default is [\u0020-\u007E]

        cp              Code page to use. Default is 1252. Use the Identifier value for code pages at https://goo.gl/ig6DxW
        mask            When using -d, file mask to search for. * and ? are supported. This option has no effect when using -f
        ms              When using -d, maximum file size to process. This option has no effect when using -f
        ro              When true, list the string matched by regex pattern vs string the pattern was found in (This may result in duplicate strings in output. ~ denotes approx. offset)
        off             Show offset to hit after string, followed by the encoding (A=1252, U=Unicode)

        sa              Sort results alphabetically
        sl              Sort results by length

Examples: bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL
          bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
          bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --fr c:\temp\searchRegex.txt -s
          bstrings.exe -d "C:\Temp" --mask "*.dll"
          bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
          bstrings.exe -d "C:\Temp" --cp 10007
          bstrings.exe -d "C:\Temp" --ls test
          bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
          bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
          bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl

Built In Regular Expressions

Run bstrings.exe -p to see the following list of built in Regular Expressions:

          Name            Description
          aeon            Finds Aeon wallet addresses
          b64             Finds valid formatted base 64 strings
          bitcoin         Finds BitCoin wallet addresses
          bitlocker       Finds Bitlocker recovery keys
          bytecoin        Finds ByteCoin wallet addresses
          cc              Finds credit card numbers
          dashcoin        Finds DashCoin wallet addresses (D*)
          dashcoin2       Finds DashCoin wallet addresses (7|X)*
          email           Finds embedded email addresses
          fantomcoin      Finds Fantomcoin wallet addresses
          guid            Finds GUIDs
          ipv4            Finds IP version 4 addresses
          ipv6            Finds IP version 6 addresses
          mac             Finds MAC addresses
          monero          Finds Monero wallet addresses
          reg_path        Finds paths related to Registry hives
          sid             Finds Microsoft Security Identifiers (SID)
          ssn             Finds US Social Security Numbers
          sumokoin        Finds SumoKoin wallet addresses
          unc             Finds UNC paths
          url3986         Finds URLs according to RFC 3986
          urlUser         Finds usernames in URLs
          usPhone         Finds US phone numbers
          var_set         Finds environment variables being set (OS=Windows_NT)
          win_path        Finds Windows style paths (C:\folder1\folder2\file.txt)
          xml             Finds XML/HTML tags
          zip             Finds zip codes
          
          To use a built in pattern, supply the Name to the --lr switch

Documentation

Introducing bstrings, a Better Strings utility!

bstrings 0.9.0.0 released

bstrings 0.9.5.0 released

A few updates

bstrings 0.9.7.0 released

bstrings 0.9.8.0 released

bstrings 0.9.9.0 released!

bstrings 1.0 released!

bstrings v1.1 released!

Everything gets an update, Sept 2018 edition

Download Eric Zimmerman's Tools

All of Eric Zimmerman's tools can be downloaded here. Use the Get-ZimmermanTools PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using KAPE!

Special Thanks

Open Source Development funding and support provided by the following contributors: SANS Institute and SANS DFIR.

EricZimmerman/bstrings

EricZimmerman

Reviews

Repository Details