chore: update README with usage and options for ntstrings

NotRequiem · web-flow · commit a1b323d66d9d · 2026-04-12T01:50:55.000+02:00
Added detailed usage instructions and examples for ntstrings.
diff --git a/README.md b/README.md
@@ -1 +1,85 @@
-# ntstrings
+# ntstrings
+
+**ntstrings** is a string extraction tool for Windows. Designed as a high-performance alternative to standard tools like Sysinternals `strings`, `bstrings`, `xxstrings`, `strings2`, etc.
+
+# Usage
+
+```text
+ntstrings [options] <path>
+```
+
+### Core Options
+
+| Flag | Description |
+| :--- | :--- |
+| `-h` | Show the help menu. |
+| `-d <dir>` | **Recursive directory scan.** Instead of a single file, provide a directory path to scan all files inside it. |
+| `-o <file>` | **Output file.** Write the extracted strings to the specified file instead of printing them to the console (greatly improves performance for large outputs). |
+
+### Search & Filtering
+
+| Flag | Description |
+| :--- | :--- |
+| `-f <str>` | **Find needle.** Only output strings that contain this specific substring. Highly optimized. |
+| `-i` | **Case insensitive.** Makes the `-f` needle search case-insensitive. |
+| `-n <len>` | **Minimum length.** Minimum number of characters for a string to be considered valid. (Default: `4`) |
+| `-x <len>` | **Maximum length.** Maximum number of characters allowed. Strings longer than this are ignored. (Default: `0` / Unlimited) |
+| `-a <bool>` | **Scan ASCII.** Enable or disable scanning for standard 8-bit ASCII strings. (Default: `true`) |
+| `-u <bool>` | **Scan Unicode.** Enable or disable scanning for 16-bit UTF-16/Unicode strings. (Default: `true`) |
+| `-b <s[:e]>`| **Scan byte range.** Only scan a specific chunk of the file. Format: `start` or `start:end` (in bytes). |
+
+### Regex & Bulk Filtering
+*(Note: If `-f` is used, Regex/List filters are ignored to prioritize the high-speed needle search).*
+
+| Flag | Description |
+| :--- | :--- |
+| `-r <rgx>` | **Regex filter.** Only output strings that match the provided Regular Expression. |
+| `-fs <file>` | **File Strings.** Load a text file containing a list of fixed strings (one per line). Only extracts strings containing at least one of these patterns. |
+| `-fr <file>` | **File Regex.** Load a text file containing a list of regex patterns (one per line). Only extracts strings matching at least one of these patterns. |
+
+### Sorting
+
+| Flag | Description |
+| :--- | :--- |
+| `-sa` | **Sort Alphabetical.** Buffers the results and sorts them alphabetically before outputting. |
+| `-sl` | **Sort Length.** Buffers the results and sorts them by string length before outputting. |
+
+---
+
+## Examples
+
+**1. Basic String Extraction**
+Extract all ASCII and Unicode strings (minimum 4 chars) from a file:
+```cmd
+ntstrings C:\path\to\memory.dmp
+```
+
+**2. Needle Search**
+Search a file for a specific case-insensitive string, outputting the results to a text file:
+```cmd
+ntstrings -f "password" -i -o results.txt memory.dmp
+```
+
+**3. Regex Filtering**
+Extract only strings that look like URLs:
+```cmd
+ntstrings -r "^https?://" target.bin
+```
+
+**4. Recursive Directory Scanning**
+Find all strings in a specific directory (and its subdirectories), ignoring Unicode strings, with a minimum length of 10 characters:
+```cmd
+ntstrings -u false -n 10 -d C:\Windows\System32
+```
+
+**5. Byte Range Scanning**
+Only scan the first 1 Megabyte of a file:
+```cmd
+ntstrings -b 0:1048576 target.bin
+```
+
+**6. Bulk IOC Scanning**
+Load a list of malicious strings/indicators from a text file and check an executable for them:
+```cmd
+ntstrings -fs malicious_iocs.txt suspect.exe
+```
