stng pulls strings out of binaries. v1.3.0 fixes a number of things that were quietly wrong on Windows binaries and tightens what comes back from raw input. Mostly PE work.
New
- Go PE: respect image base when resolving
{ptr, len}. Walk pclntab via varint and null-terminated tables. Reassemble Win32 API names built on the stack. - Rust PE: detection, plus structure-based slicing of
.rdata. - Multi-key XOR: use rizin/r2 lea-near-xor analysis. Try high-entropy key candidates.
- Blind decode fallback for high-confidence XOR keys. Recovers short and split IOCs.
- Raw and unknown inputs now run the full pipeline: raw, wide, binary IP, stack-string, decoder, script, requested XOR.
Faster
- PE stack-string scans only touch executable sections.
- Raw and wide scans skip Go and Rust PE packed string sections. Avoids merged
.rdatablobs. - Go PE pclntab scanners run in parallel per section.
- ELF overlay detection reuses parsed metadata.
Fixed
- Stripped Go PEs were emitting bogus XOR payloads sourced from pclntab. They aren't anymore.
- Go PE image base was being ignored when resolving
{ptr, len}. Strings resolve correctly now. - Varint length prefixes were leaking into module and package path strings.
- Go and Rust packed-string extraction was emitting merged
.rdatablobs. - x86 instruction-byte fragments were leaking out as strings. Filtered by arch and section.
- Binary IP detection accepted linear sequences, gateway-like addresses, and repeated low octets. It rejects them now.
Full notes on Codeberg.