Chords

Chords is strings on steroids.

Is able to extract strings from files just like strings, but it also supports windows wide string, base64 and hexadecimal strings (with decoding support) and automatic recognition of Indicators of Compromise (IOCs).

It has been developed to support the malware analysis process, but is a general purpose tool.

Features:

• strings extraction
• windows wide strings extraction
• base64 strings extraction and decoding
• hexadecimal strings extraction and decoding
• indication of compromise recognition
• sorting
• deletion of duplicate strings
• windows, linux, bsd and mac os x support

Compile

You need to have a working SBCL (http://www.sbcl.org/) distribution and the quicklisp (https://www.quicklisp.org/) module installed.

In the source I assume a file quicklisp.lsp is present in your home directory.

When you have the prerequisites ready just execute:

/usr/bin/sbcl --script chords.lsp

To produce a chords binary for your system and architecture.

Usage

Chords works on binary files to extract strings and other relevant data.

See the usage of the tool:

[emanueleacri]$ chords -h
Chords - strings and wide-strings extraction utility.

Usage: chords [options] filename [filenames ...]

Available options:
  -h, --help               print this help text
  -i, --noiocs             do not search for IOCs
  -b, --base64             decode base64 strings
  -x, --hex                decode hex strings
  -d, --dec                decode decimal strings
  -l, --length NUM         minimum length for strings (default 4)
  -n, --nobreak            do not break on newlines characters
  -s, --nosort             do not sort strings
  -u, --nounique           do not remove duplicates from strings (need sorted mode)

Try to run the tool against binary files or malware samples.