strings2: An improved string extraction tool from from binary
by geoff mcdonald


Strings2 is a Windows command-line tool for extracting ascii and unicode strings from binary data. On top of the classical Sysinternals strings approach, this improved version is also able to dump strings from process address spaces and also reconstructs hidden assembly local variable assignment ascii/unicode strings.

Example Usage:
        strings2 malware.exe
        strings2 *.exe > strings.txt
        strings2 *.exe -nh -f -t -asm > strings.txt
        strings2 -pid 419 > process_strings.txt
        strings2 -pid 0x1a3 > process_strings.txt
        strings2 -system > all_process_strings.txt
        cat abcd.exe | strings2 > out.txt

Flags:
 -f
        Prints the filename/processname before each string.
 -r
        Recursively process subdirectories.
 -t
        Prints the type before each string. Unicode,
        ascii, or assembly unicode/ascii stack push.
 -asm
        Only prints the extracted ascii/unicode
        assembly stack push-hidden strings.
 -raw
        Only prints the regular ascii/unicode strings.
 -a
        Prints only ascii strings.
 -u
        Prints only unicode strings.
 -l [numchars]
        Minimum number of characters that is
        a valid string. Default is 4.
 -nh
        No header is printed in the output.
 -pid
        The strings from the process address space for the
        specified PID will be dumped. Use a '0x' prefix to
        specify a hex PID.
 -system
        Dumps strings from all accessible processes on the
        system. This takes awhile.
Download
Strings2 is available for Windows x86 and x64:
  -   Download: strings2.exe for Windows 32bit (x86)
  -   Download: strings2.exe for Windows 64bit (x64)

Please use the appropriate executable for best results.
Source Code
The source code for strings2 is available through GitHub. Contributions are welcome:
  -   https://github.com/glmcdona/strings2
Version History
Version 1.2 (Apr 21, 2013)
  -   Added "-a" and "-u" flags to extract only ascii or unicode strings.
  -   Fixed a bug when processing certain filenames.


Version 1.1 (Nov 22, 2012)
  -   Added "-r" recursive flag option.
  -   Added "-pid" and "-system" flag options to specify process input sources.
  -   Piped input data is now supported.
  -   Various fixes.


Version 1.0 (Sept 20, 2012)
  -   Initial release.