Skip to content
txtr

single binary · cross-platform · GNU strings compatible

Pull strings out of binaries. Better than GNU strings.

A drop-in strings replacement — but format-aware, secret-scanning, archive-diving, and JSON-speaking. From quick extraction to first-pass firmware triage in one command.

MIT licensed · macOS · Linux · Windows · FreeBSD · container images

txtr
$ txtr --secrets firmware.bin
[SECRET]    0x001a40  AWS Access Key   AKIAIOSFODNN7EXAMPLE
[SECRET]    0x002f10  PEM Private Key  -----BEGIN RSA PRIVATE KEY-----
[HIGH-ENT]  0x004012  entropy=7.8      gB7x9K2pQ4rT6yU8wA1z…
[URL]       0x005120  https://c2.example.com/beacon
[IPv4]      0x006004  10.0.0.5

what you get

Everything strings does — and the parts it never did.

Compatible where it counts, then far past it: txtr understands the binary it's reading, scores what it finds, and speaks JSON.

GNU strings compatible

The flags you already know — -n, -t, -e, -f, -o, -s — behave the same, including UTF-16/32 BE/LE encodings. Drop it in and go.

Binary-format aware

Detects ELF, PE, and Mach-O and scans the sections that actually hold text (.data, .rdata) instead of the raw file — less noise, more signal.

Security triage

Score every string by Shannon entropy, classify it (URL, email, IP, domain, path, hex, base64, UUID), and flag secrets — AWS keys, PEM, JWTs, GitHub/Slack/Stripe tokens.

Archive recursion

-r descends into zip, apk, jar, tar, gz, bz2, xz, zstd and deb — labelling each hit with a virtual !/ path, with decompression-bomb guards built in.

JSON & stats

--json emits jq-friendly, CI-ready output; --stats rolls up encoding and length distributions, longest strings, and a triage summary for fast file triage.

Fast & parallel

Processes many files across all CPU cores by default (tune with -P), shipped as one static binary with no runtime dependencies.

beyond extraction

A first-pass triage tool for firmware & malware.

Recurse into a package, surface secrets and high-entropy blobs, and gate CI on the JSON — or get a one-screen composition summary.

# Triage a Debian package: ar → data.tar.xz → ELF
txtr -r --triage pkg.deb

# Fail CI when a shipped binary leaks secrets
txtr --triage -j app.bin \
  | jq '.files[0].strings[]
       | select((.secrets|length)>0)'

# Only URLs and emails, case-insensitive
txtr -i -m 'https?://\S+' -m '\S+@\S+' fw.bin
# txtr --stats binary.exe
Binary format:   PE (Windows executable)
Sections:        .data, .rdata
Total strings:   1,234
Encoding:        89% ASCII · 10% UTF-8 · 1% high-byte
Length:          4–10: 65% · 11–50: 28% · 50+: 7%
Longest:         256 @ 0x4000 "Copyright (c) 2025…"

coverage

Formats it reads.

Executable formats are section-scanned; archive and compression containers are recursed with -r.

  • ELF
  • PE
  • Mach-O
  • zip
  • apk
  • jar
  • ipa
  • aar
  • tar
  • gzip
  • bzip2
  • xz
  • zstd
  • deb / ar

Encodings: 7-/8-bit ASCII · UTF-16 BE/LE · UTF-32 BE/LE · UTF-8 (locale, escape, hex, highlight)

install

Grab a binary, a container, or go install.

Prebuilt for macOS (Intel/ARM), Linux (amd64/arm64/armv6/armv7), Windows, and FreeBSD.

brew brew install richardwooding/tap/txtr
go go install github.com/richardwooding/txtr/cmd/txtr@latest
docker docker pull ghcr.io/richardwooding/txtr:latest

Prefer a raw download? See the GitHub releases for signed archives and checksums.