Merge pull request #7 from glmcdona/glmcdona/revamp_string_engine

Overhaul strings2 engine

.gitignore

@@ -12,7 +12,8 @@
 [Rr]elease/
 
 build/
-
+lib/
+.vs/
 
 [Tt]est[Rr]esult
 [Bb]uild[Ll]og.*

README.md

@@ -1,60 +1,77 @@
-# strings2
-Strings2 is a Windows 32bit and 64bit command-line tool for extracting strings from binary data. On top of the classical Sysinternals strings approach, this improved version is also able to dump strings from process address spaces and also reconstructs hidden assembly local variable assignment ASCII/unicode strings. Currently, the ASM-string extracting approach only supports the x86 instruction set.
-
-I am maintaining a public binary release download page for this project at:
-  http://split-code.com/strings2.html
-
-
-## Flags
-The command-line flags for strings2 are as follows:
-
-	 -f
-	Prints the filename/processname before each string.
-
-	 -r
-	Recursively process subdirectories.
-
-	 -t
-	Prints the type before each string. Unicode,
-	ASCII, or assembly unicode/ASCII stack push.
-
-	 -asm
-	Only prints the extracted ASCII/unicode
-	assembly stack push-hidden strings.
-
-	 -raw
-	Only prints the regular ASCII/unicode strings.
-
-	 -l [numchars]
-	Minimum number of characters that is
-	a valid string. Default is 4.
-
-	 -nh
-	No header is printed in the output.
-
-	 -pid
-	The strings from the process address space for the
-	specified PID will be dumped. Use a '0x' prefix to
-	specify a hex PID.
-	 
-	 -system
-	Dumps strings from all accessible processes on the
-	system. This takes awhile.
-
-		
+# strings2 - Extract strings from binary files and process memory
+Strings2 is a Windows command-line tool for extracting strings from binary data. On top of the classic Sysinternals strings approach, this tool includes:
+* Multi-lingual string extraction, such as Russian, Chinese, etc.
+* Machine learning model filters out junk erroneous string extractions to reduce noise.
+* String extractions from process memory.
+* Recursive and wildcard filename matching.
+* Json output option for automation integration. (Also see python module version [binary2strings](https://github.com/glmcdona/binary2strings))
+
+I also recommend looking at [FLOSS](https://github.com/mandiant/flare-floss) from Mandiant a cross-platform string extraction solver with a different set of features.
+
+## Installation
+Download the [latest release binary](https://github.com/glmcdona/strings2/releases).
+
 ## Example Usage
-From the command prompt:
-* strings2 malware.exe
-* strings2 *.exe > strings.txt
-* strings2 *.exe -nh -f -t -asm > strings.txt
-* strings2 -pid 419 > process_strings.txt
-* strings2 -pid 0x1a3 > process_strings.txt
-* strings2 -system > all_process_strings.txt
-* cat abcd.exe | strings2 > out.txt
-
-
-## Contributing
-Contributions are welcome. Some possible contribution directions are as follows:
-* Only print unique strings.
-* Add flag support for dumping process strings by process/window title matching.
-* Add x64 assembly support for extracting ASM stack pushed strings.
+
+Dump all strings from `malware.exe` to stdout:
+
+* ```strings2 malware.exe```
+
+Dump all strings from all `.exe` files in the `files` folder to the file `strings.txt`:
+* ```strings2 ./files/*.exe > strings.txt```
+
+Dump strings from a specific process id, including logging the module name and memory addresses of each match:
+* ```strings2 -f -s -pid 0x1a3 > process_strings.txt```
+
+Extract strings from `malware.exe` to a json file:
+* ```strings2 malware.exe -json > strings.json```
+
+## Documentation
+
+```strings.exe (options) file_pattern```
+
+* `file_pattern` can be a folder or file. Wildcards (`*`) are supported in the filename parts - eg `.\files\*.exe`.
+
+|Option|Description|
+|--|--|
+|-r|Recursively process subdirectories.|
+|-f|Prints the filename/processname for each string.|
+|-F|Prints the full path and filename for each string.|
+|-s|Prints the file offset or memory address span of each string.|
+|-t|Prints the string type for each string. UTF8, or WIDE_STRING.|
+|-wide|Prints only WIDE_STRING strings that are encoded as two bytes per character.|
+|-utf|Prints only UTF8 encoded strings.|
+|-a|Prints both interesting and not interesting strings. Default only prints interesting non-junk strings.|
+|-ni|Prints only not interesting strings. Default only prints interesting non-junk strings.|
+|-e|Escape new line characters.|
+|-l [num_chars]|Minimum number of characters that is a valid string. Default is 4.|
+|-b [start]\(:[end]\)|Scan only the specified byte range for strings. Optionally specify an end offset as well.|
+|-pid [pid]|The strings from the process address space for the specified PID will be dumped. Use a '0x' prefix to specify a hex PID.|
+|-system|Dumps strings from all accessible processes on the system. This takes awhile.|
+|-json|Writes output as json. Many flags are ignored in this mode.|
+
+
+## Version History
+
+Version 2.0 (May 29, 2022)
+  - Complete overhaul of the tool.
+  -	Upgrade string extraction engine from [binary2strings](https://github.com/glmcdona/binary2strings).
+  - Add support for multilingual strings.
+  - Added ML model to filter junk erroneous string extractions.
+  - Add option to dump only a specified offset range.
+  - Add json output option.
+  - Add memory address and module name logging.
+  - Fixes to 64bit process string dumping.
+
+Version 1.2 (Apr 21, 2013)
+  -   Added "-a" and "-u" flags to extract only ascii or unicode strings.
+  -   Fixed a bug when processing certain filenames.
+
+Version 1.1 (Nov 22, 2012)
+  -   Added "-r" recursive flag option.
+  -   Added "-pid" and "-system" flag options to specify process input sources.
+  -   Piped input data is now supported.
+  -   Various fixes.
+
+Version 1.0 (Sept 20, 2012)
+  -   Initial release.

strings.sln

@@ -1,7 +1,9 @@
 
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual Studio 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "strings", "strings\strings.vcproj", "{12872240-F930-4859-8FE1-16ED68B57411}"
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32428.217
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "strings", "strings\strings.vcxproj", "{12872240-F930-4859-8FE1-16ED68B57411}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -23,4 +25,7 @@ Global
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {CB55428F-0116-4975-9331-DE0979C2844F}
+	EndGlobalSection
 EndGlobal