Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Efficient String searching

All-in-one reversing related discussions
User avatar
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Well this is pretty amazing, I started looking into the details of findstr, for those who might be interested there is a very detailed sequence of posts on the undocumented features of findstr here

https://stackoverflow.com/questions/884 ... str-comman

Towards the end of the discussion is a reported bug that findstr can't find a file if it has an en dash (–) or em dash (—) within the filename. These are supposedly punctuations slightly longer than a regular hyphen (-). There is no direct keyboard key for them, but I decided to try a regular hyphen in the output name and it seems to solve the recursion problem we've been discussing.

Compare these two commands from the main Strings folder:

>strings64.exe * | findstr /i "the" > out.txt (gives recursive output)

>strings64.exe * | findstr /i "the" > -out.txt (gives correct search results without including the piped output file)

As for the piped output question I asked, there is a complete table here for example showing the differences between >, >> and other syntax

https://askubuntu.com/questions/420981/ ... -to-a-file
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

kayaker...if I'm getting your drift, the problem seems to be in sending the output to a file in the same directory. So, I pointed the output to a file in different directory, and it did one recursion only. Seems if you leave the output file in the same directory it keeps reading through the file and the output increases exponentially.
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

strings.exe reads each file in sizes of 8192,16384,...65536 max
over Fastio/IRP_MJ_READ read until ENDIFFILE.

FINDSTR.exe KEEPS ON writing to the the file and keeps on altering EOF

string keeps on reading and populates gigabyte upon gigabyte of crap

if instead of > (open_always) or >> (append instead of open always)
you use say wc -l It wont recurse and count correct lines instead

run procmon filter FASTIOREAD,FASTIOWRITE,strings.exe,findstr.exe
and look

Code: Select all

"strings.exe","FASTIO_READ","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 47,496,572, Length: 65,536",".\strings.exe  * ","n/a","844"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,067,185, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,075,377, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,083,569, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,091,761, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,099,953, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
"findstr.exe","FASTIO_WRITE","E:\SYSINT\STRTEST\the.txt","SUCCESS","Offset: 48,108,145, Length: 8,192","findstr  /i ""the""  ","n/a","5580"
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:run procmon file fastioread fastiowrite,strings.exe,findstr.exe and take a look
I believe you, I cut off a txt file at 50 megs. :devil: with a ^C.
Post Reply