String extraction for binary analysis. Same idea as strings(1), except it knows about XOR, base64, Go and Rust string layouts, DWARF stack strings, and Windows wide strings — and it filters the obvious garbage by default. Useful for triage, C2 enumeration, credential extraction, and writing YARA signatures.

Capabilities

• Garbage filtering — automatically removes unusable noise (override with --unfiltered)
• XOR obfuscation detection — single/multi-byte keys with entropy analysis, double-layer (encoding+XOR)
• Encoding detection — Base64, Base32, Base85, hex, URL-encoding, Unicode escapes
• Language-aware extraction — Go/Rust {ptr, len} structures, DWARF stack strings
• Binary network structures — hardcoded IPs/ports in socket structures
• IOC classification — IPs, URLs, shell commands, paths, credentials
• Wide strings — UTF-16LE support for Windows PE binaries
• Multi-format — ELF, PE, Mach-O, raw binaries, overlays

Install

Homebrew (macOS and Linux)

brew tap atomdrift/tap https://codeberg.org/atomdrift/homebrew-tap.git

brew install atomdrift/tap/stng

From source:

cargo install --git https://codeberg.org/atomdrift/stng

Usage

$ stng malware.bin              # full analysis with XOR auto-detection
$ stng -i malware.bin           # interesting strings only
$ stng --json malware.bin       # machine-readable with encoding metadata

Library

let strings = stng::extract_strings(&std::fs::read("sample")?, 4);