Quick Start

This guide will get you up and running with Stringy in minutes.

Basic Usage

Analyze a Binary

stringy /path/to/binary

Stringy will:

• Detect ELF, PE, or Mach-O format automatically
• Extract ASCII and UTF-16 strings from prioritized sections
• Apply semantic classification (URLs, paths, GUIDs, etc.)
• Rank results by relevance and display them in a table

Example Output (TTY)

String                                   Tags              Score  Section
------                                   ----              -----  -------
https://api.example.com/v1/users         url                 95   .rdata
{12345678-1234-1234-1234-123456789abc}   guid                87   .rdata
/usr/local/bin/application               filepath            82   __cstring
Error: %s at line %d                     fmt                 78   .rdata
MyApplication v1.2.3                     version             75   .rsrc

Common Use Cases

Security Analysis

Extract network indicators and file paths:

stringy --only-tags url --only-tags domain --only-tags filepath --only-tags regpath malware.exe

YARA Rule Development

Generate rule candidates:

stringy --yara --min-len 8 target.bin > candidates.yar

JSON Output for Automation

stringy --json --debug binary.elf | jq 'select(.display_score > 80)'

Extraction-Only Mode

Skip classification and ranking for fast raw extraction:

stringy --raw binary

Understanding the Output

Score Column

Strings are ranked using a display score from 0-100:

• 90-100: High-value indicators (URLs, GUIDs in high-priority sections)
• 70-89: Meaningful strings (file paths, format strings)
• 50-69: Moderate relevance (imports, version info)
• 0-49: Low relevance (short or noisy strings)

See Output Formats for the full band-mapping table.

Tags

Semantic classifications help identify string types:

Sections

Shows where strings were found:

• ELF: .rodata, .data.rel.ro, .comment
• PE: .rdata, .rsrc, version info
• Mach-O: __TEXT,__cstring, __DATA_CONST

Filtering and Options

By String Length

# Minimum 6 characters
stringy --min-len 6 binary

By Encoding

# ASCII only
stringy --enc ascii binary

# UTF-16 only (useful for Windows binaries)
stringy --enc utf16 binary.exe

By Tags

# Only network-related strings
stringy --only-tags url --only-tags domain --only-tags ipv4 --only-tags ipv6 binary

# Exclude Base64 noise
stringy --no-tags b64 binary

Limit Results

# Top 50 results
stringy --top 50 binary

Summary

Append a summary block after table output (TTY only):

stringy --summary binary

Output Formats

Table (Default)

Best for interactive analysis:

stringy binary

JSON Lines

For programmatic processing:

stringy --json binary | jq 'select(.tags[] == "Url")'

YARA Format

For security rule creation:

stringy --yara binary > rule_candidates.yar

Tips and Best Practices

Start Broad, Then Focus

1. Run basic analysis first: stringy binary
2. Identify interesting patterns in high-scoring results
3. Use filters to focus: --only-tags url --only-tags filepath

Combine with Other Tools

# Find strings, then search for references
stringy --json binary | jq -r 'select(.score > 80) | .text' | xargs -I {} grep -r "{}" /path/to/source

# Extract URLs for further analysis
stringy --only-tags url --json binary | jq -r '.text' | sort -u

Performance Considerations

• Use --top N to limit output for large binaries
• Use --enc to restrict to a single encoding
• Consider --min-len to reduce noise

Next Steps

• Learn about output formats in detail
• Understand the classification system
• Explore advanced CLI options
• Read about performance optimization