Using strings

In most cases your file will not be listed in the MHR or NSRL. These databases are best used to whittle down the files to be examined if you have lots of suspect files. The strings utility will search a binary file for ASCII text and display whatever it finds. The syntax for the command is strings -a . Partial results from running the command strings -a xingyi_bindshell are shown in Figure 10.5. Pathnames to temporary files and what could be a password are highlighted in the figure.

FIGURE 10.5

Running strings on a suspicious binary.

You may want to capture the output from strings to a file. Any strange and unique words, such as “sw0rdm4n” and “xingyi”, can be used for Google searches. You may see several strings of the form <function>@@<library> that can tell you what library functions are being used in this code. You will only see these strings if debugging symbols have not been removed with strip. The results of running strings xingyi_bindshell | grep @@ | sort are shown in Figure 10.6.

FIGURE 10.6

Displaying library functions with strings. Note that this only works for binaries that haven’t been stripped.

Using strings

Using strings

FIGURE 10.5

results matching ""

No results matching ""