This guide will get you up and running with Stringy in minutes.
stringy /path/to/binaryStringy will:
- Detect ELF, PE, or Mach-O format automatically
- Extract ASCII and UTF-16 strings from prioritized sections
- Apply semantic classification (URLs, paths, GUIDs, etc.)
- Rank results by relevance and display them in a table
String Tags Score Section
------ ---- ----- -------
https://api.example.com/v1/users url 95 .rdata
{12345678-1234-1234-1234-123456789abc} guid 87 .rdata
/usr/local/bin/application filepath 82 __cstring
Error: %s at line %d fmt 78 .rdata
MyApplication v1.2.3 version 75 .rsrc
Extract network indicators and file paths:
stringy --only-tags url --only-tags domain --only-tags filepath --only-tags regpath malware.exeGenerate rule candidates:
stringy --yara --min-len 8 target.bin > candidates.yarstringy --json --debug binary.elf | jq 'select(.display_score > 80)'Skip classification and ranking for fast raw extraction:
stringy --raw binaryStrings are ranked using a display score from 0-100:
- 90-100: High-value indicators (URLs, GUIDs in high-priority sections)
- 70-89: Meaningful strings (file paths, format strings)
- 50-69: Moderate relevance (imports, version info)
- 0-49: Low relevance (short or noisy strings)
See Output Formats for the full band-mapping table.
Semantic classifications help identify string types:
| Tag | Description | Example |
|---|---|---|
url |
Web URLs | https://example.com/api |
domain |
Domain names | api.example.com |
ipv4/ipv6 |
IP addresses | 192.168.1.1 |
filepath |
File paths | /usr/bin/app |
regpath |
Registry paths | HKEY_LOCAL_MACHINE\... |
guid |
GUIDs/UUIDs | {12345678-1234-...} |
email |
Email addresses | user@example.com |
b64 |
Base64 data | SGVsbG8gV29ybGQ= |
fmt |
Format strings | Error: %s |
import/export |
Symbol names | CreateFileW |
demangled |
Demangled symbols | std::io::Read::read |
user-agent-ish |
User-agent-like strings | Mozilla/5.0 ... |
version |
Version strings | v1.2.3 |
manifest |
Manifest data | PE/Mach-O embedded XML |
resource |
Resource strings | PE VERSIONINFO/STRINGTABLE |
dylib-path |
Dynamic library paths | /usr/lib/libfoo.dylib |
rpath |
Runtime search paths | /usr/local/lib |
rpath-var |
Rpath variables | @loader_path/../lib |
framework-path |
Framework paths (macOS) | /System/Library/... |
Shows where strings were found:
- ELF:
.rodata,.data.rel.ro,.comment - PE:
.rdata,.rsrc, version info - Mach-O:
__TEXT,__cstring,__DATA_CONST
# Minimum 6 characters
stringy --min-len 6 binary# ASCII only
stringy --enc ascii binary
# UTF-16 only (useful for Windows binaries)
stringy --enc utf16 binary.exe# Only network-related strings
stringy --only-tags url --only-tags domain --only-tags ipv4 --only-tags ipv6 binary
# Exclude Base64 noise
stringy --no-tags b64 binary# Top 50 results
stringy --top 50 binaryAppend a summary block after table output (TTY only):
stringy --summary binaryBest for interactive analysis:
stringy binaryFor programmatic processing:
stringy --json binary | jq 'select(.tags[] == "Url")'For security rule creation:
stringy --yara binary > rule_candidates.yar- Run basic analysis first:
stringy binary - Identify interesting patterns in high-scoring results
- Use filters to focus:
--only-tags url --only-tags filepath
# Find strings, then search for references
stringy --json binary | jq -r 'select(.score > 80) | .text' | xargs -I {} grep -r "{}" /path/to/source
# Extract URLs for further analysis
stringy --only-tags url --json binary | jq -r '.text' | sort -u- Use
--top Nto limit output for large binaries - Use
--encto restrict to a single encoding - Consider
--min-lento reduce noise
- Learn about output formats in detail
- Understand the classification system
- Explore advanced CLI options
- Read about performance optimization