Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Quickie: String Analysis is Still Useful - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quickie: String Analysis is Still Useful

String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.

It's a simple method, but still useful, if you don't have to spend hours sifting through all strings produced by the string tool. I have a tip to quickly find "interesting" strings: sort the output of the strings tool by string length. Start with the shortest strings, and end with the longest strings.

Take for example the analysis of a malicious document, that involved many steps and requires good knowledge of different file formats.

Just by extracting the strings of this document and sorting them by length, you immediately find the powershell command:

I developed my own tool, and option -L sorts strings by increasing lenght.

Didier Stevens
Senior handler
Microsoft MVP


647 Posts
ISC Handler
Dec 9th 2018

Sign Up for Free or Log In to start participating in the conversation!