Ghidra: How to use findStrings flat API

Created on 9 Jun 2020 · 3Comments · Source: NationalSecurityAgency/ghidra

I attempted to findStrings in the Python interpreter:

>>> findStrings(None, 5, 1, True, False)

And all my results come back with a state of state=NOT_DEFINED. Additionally, some of the results point to instructions and not string data.

I expected this method to act just like the Search >> For Strings... menu option, but it doesn't. Am I missing something here?

Source

ightelsentearten

Most helpful comment

Thanks @ryanmkurtz for your help and quick reply. Creating a StringSearcher object in Jython is pretty straight forward, but I'm a bit stumped on how to make a call back.

I took a look at the findStrings() code, and tried to implement it in Jython:

l = list()
def callback(s):
   l.append(s)
ss = StringSearcher(currentProgram, 5, 1, False, True)
ss.search(None, callback, True, monitor)

print(l[0])

~But it only returns the address set. Any ideas on how to implement the call back? For those playing at home, using a print(s) instead of the yield line will print the repr of the FoundString~ object.

Thanks again.

Edit: figured it out, see above example

ightelsentearten on 9 Jun 2020

👍3

All 3 comments

I was able to reproduce the problem. I'll debug it a bit and let you know.

ryanmkurtz on 9 Jun 2020

The findStrings() method in FlatProgramAPI is currently implemented the same way the StringAnalyzer is implemented. The Search >> For Strings... feature uses the CombinedStringSearcher which does extra things like return already defined strings. The API should probably either use the CombinedStringSearcher (which unfortunately currently references GUI-only things) or the StringSearcher that the analyzer/API uses should be modified to give more consistent results (at least making it aware of defined strings).