When exploring an unfamiliar binary, it may be difficult to find interesting places to start from. One common approach is to check what strings are present in the program – this might give some hints about its functionality and maybe some starting places for analysis. While you can scroll through the listing and look at the strings as you come across them, it is probably more convenient to see them all in one place. IDA offer this functionality as the Strings view.
Opening String list
To open the list, use the menu View > Open subviews > Strings, or the shortcut Shift–F12. Note that the first time IDA will scan the whole database so it may take some time on big files. If you have a really big binary, it may be useful to select a range before invoking the command will so that the scan is limited to the selection.
The view includes the string’s address, length (in characters, including the terminating one), type (e.g. C
for standard 8-bit strings or C16
for Unicode (UTF-16)), and the text of the string. Double-clicking an entry will jump to the string in the binary, and you can, for example, check the cross-references to see where it’s used.
String list options
The default settings are somewhat conservative so if you think some items are missing (or, conversely, you see a lot of useless entries), changing scan options can be useful. For this, use “Setup..” from the context menu.
- Display only defined strings will have IDA include only explicitly defined string literals (e.g. strings discovered in a middle of undefined areas won’t be included).
- Ignore instructions/data definitions makes IDA look for text inside code or non-string data.
- Strict ASCII (7-bit) strings option shows only strings with characters in the basic ASCII range.
- Allowed string types lets you choose what string types you are interested in.
- Minimal string length sets the lower limit on the length the string must have to be included in the list. Raising the limit may be useful to filter out false positives.
Note that you will likely need to invoke “Rebuild…” from the context menu to refresh the list after changing the options.
See also: IDA Help: Strings window