bstrings
A better strings utility!
Command Line Interface
bstrings version 1.5.1.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/bstrings
a If set, look for ASCII strings. Default is true. Use -a false to disable
b Chunk size in MB. Valid range is 1 to 1024. Default is 512
d Directory to recursively process. Either this or -f is required
f File to search. Either this or -d is required
m Minimum string length. Default is 3
o File to save results to
p Display list of built in regular expressions
q Quiet mode (Do not show header or total number of hits)
s Really Quiet mode (Do not display hits to console. Speeds up processing when using -o)
u If set, look for Unicode strings. Default is true. Use -u false to disable
x Maximum string length. Default is unlimited
ls String to look for. When set, only matching strings are returned
lr Regex to look for. When set, only strings matching the regex are returned
fs File containing strings to look for. When set, only matching strings are returned
fr File containing regex patterns to look for. When set, only strings matching regex patterns are returned
ar Range of characters to search for in 'Code page' strings. Specify as a range of characters in hex format and enclose in quotes. Default is [\x20 -\x7E]
ur Range of characters to search for in Unicode strings. Specify as a range of characters in hex format and enclose in quotes. Default is [\u0020-\u007E]
cp Code page to use. Default is 1252. Use the Identifier value for code pages at https://goo.gl/ig6DxW
mask When using -d, file mask to search for. * and ? are supported. This option has no effect when using -f
ms When using -d, maximum file size to process. This option has no effect when using -f
ro When true, list the string matched by regex pattern vs string the pattern was found in (This may result in duplicate strings in output. ~ denotes approx. offset)
off Show offset to hit after string, followed by the encoding (A=1252, U=Unicode)
sa Sort results alphabetically
sl Sort results by length
Examples: bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL
bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --fr c:\temp\searchRegex.txt -s
bstrings.exe -d "C:\Temp" --mask "*.dll"
bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
bstrings.exe -d "C:\Temp" --cp 10007
bstrings.exe -d "C:\Temp" --ls test
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl
Built In Regular Expressions
Run bstrings.exe -p
to see the following list of built in Regular Expressions:
Name Description
aeon Finds Aeon wallet addresses
b64 Finds valid formatted base 64 strings
bitcoin Finds BitCoin wallet addresses
bitlocker Finds Bitlocker recovery keys
bytecoin Finds ByteCoin wallet addresses
cc Finds credit card numbers
dashcoin Finds DashCoin wallet addresses (D*)
dashcoin2 Finds DashCoin wallet addresses (7|X)*
email Finds embedded email addresses
fantomcoin Finds Fantomcoin wallet addresses
guid Finds GUIDs
ipv4 Finds IP version 4 addresses
ipv6 Finds IP version 6 addresses
mac Finds MAC addresses
monero Finds Monero wallet addresses
reg_path Finds paths related to Registry hives
sid Finds Microsoft Security Identifiers (SID)
ssn Finds US Social Security Numbers
sumokoin Finds SumoKoin wallet addresses
unc Finds UNC paths
url3986 Finds URLs according to RFC 3986
urlUser Finds usernames in URLs
usPhone Finds US phone numbers
var_set Finds environment variables being set (OS=Windows_NT)
win_path Finds Windows style paths (C:\folder1\folder2\file.txt)
xml Finds XML/HTML tags
zip Finds zip codes
To use a built in pattern, supply the Name to the --lr switch
Documentation
Introducing bstrings, a Better Strings utility!
Everything gets an update, Sept 2018 edition
Download Eric Zimmerman's Tools
All of Eric Zimmerman's tools can be downloaded here. Use the Get-ZimmermanTools PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using KAPE!
Special Thanks
Open Source Development funding and support provided by the following contributors: SANS Institute and SANS DFIR.