single binary · cross-platform · GNU strings compatible
Pull strings out of binaries. Better than GNU strings.
A drop-in strings replacement — but format-aware, secret-scanning, archive-diving, and JSON-speaking. From quick extraction to first-pass firmware triage in one command.
MIT licensed · macOS · Linux · Windows · FreeBSD · container images
$ txtr --secrets firmware.bin [SECRET] 0x001a40 AWS Access Key AKIAIOSFODNN7EXAMPLE [SECRET] 0x002f10 PEM Private Key -----BEGIN RSA PRIVATE KEY----- [HIGH-ENT] 0x004012 entropy=7.8 gB7x9K2pQ4rT6yU8wA1z… [URL] 0x005120 https://c2.example.com/beacon [IPv4] 0x006004 10.0.0.5
what you get
Everything strings does — and the parts it never did.
Compatible where it counts, then far past it: txtr understands the binary it's reading, scores what it finds, and speaks JSON.
GNU strings compatible
The flags you already know — -n, -t, -e, -f, -o, -s — behave the same, including UTF-16/32 BE/LE encodings. Drop it in and go.
Binary-format aware
Detects ELF, PE, and Mach-O and scans the sections that actually hold text (.data, .rdata) instead of the raw file — less noise, more signal.
Security triage
Score every string by Shannon entropy, classify it (URL, email, IP, domain, path, hex, base64, UUID), and flag secrets — AWS keys, PEM, JWTs, GitHub/Slack/Stripe tokens.
Archive recursion
-r descends into zip, apk, jar, tar, gz, bz2, xz, zstd and deb — labelling each hit with a virtual !/ path, with decompression-bomb guards built in.
JSON & stats
--json emits jq-friendly, CI-ready output; --stats rolls up encoding and length distributions, longest strings, and a triage summary for fast file triage.
Fast & parallel
Processes many files across all CPU cores by default (tune with -P), shipped as one static binary with no runtime dependencies.
beyond extraction
A first-pass triage tool for firmware & malware.
Recurse into a package, surface secrets and high-entropy blobs, and gate CI on the JSON — or get a one-screen composition summary.
# Triage a Debian package: ar → data.tar.xz → ELF txtr -r --triage pkg.deb # Fail CI when a shipped binary leaks secrets txtr --triage -j app.bin \ | jq '.files[0].strings[] | select((.secrets|length)>0)' # Only URLs and emails, case-insensitive txtr -i -m 'https?://\S+' -m '\S+@\S+' fw.bin
# txtr --stats binary.exe Binary format: PE (Windows executable) Sections: .data, .rdata Total strings: 1,234 Encoding: 89% ASCII · 10% UTF-8 · 1% high-byte Length: 4–10: 65% · 11–50: 28% · 50+: 7% Longest: 256 @ 0x4000 "Copyright (c) 2025…"
coverage
Formats it reads.
Executable formats are section-scanned; archive and compression containers are recursed with -r.
- ELF
- PE
- Mach-O
- zip
- apk
- jar
- ipa
- aar
- tar
- gzip
- bzip2
- xz
- zstd
- deb / ar
Encodings: 7-/8-bit ASCII · UTF-16 BE/LE · UTF-32 BE/LE · UTF-8 (locale, escape, hex, highlight)
install
Grab a binary, a container, or go install.
Prebuilt for macOS (Intel/ARM), Linux (amd64/arm64/armv6/armv7), Windows, and FreeBSD.
brew install richardwooding/tap/txtr
go install github.com/richardwooding/txtr/cmd/txtr@latest
docker pull ghcr.io/richardwooding/txtr:latest
Prefer a raw download? See the GitHub releases for signed archives and checksums.