search_strings

Decompilation

Searches the User Strings (#US) heap in the assembly metadata for string literals matching a pattern. This reads directly from metadata without decompilation, making it significantly faster than IL-based approaches. Essential for security audits, finding configuration values, and locating embedded URLs or credentials.

Parameters

Parameter	Type	Required	Default	Description
assembly_path	string	Yes	—	Path to the .dll or .exe file
pattern	string	Yes	—	String pattern to search for
case_sensitive	bool	No	false	Case-sensitive matching
use_regex	bool	No	false	Treat pattern as a regular expression
max_results	int	No	100	Maximum number of matches to return

Example

MCP JSON

{
  "tool": "search_strings",
  "arguments": {
    "assembly_path": "/path/to/MyApp.dll",
    "pattern": "https://",
    "use_regex": false,
    "max_results": 50
  }
}

Python

result = await client.call_tool("search_strings", {
    "assembly_path": "/path/to/MyApp.dll",
    "pattern": "https://",
    "max_results": 50,
})

Response

Returns a list of matching string literals found in the assembly. Long strings are truncated to 200 characters for display. The total match count is shown, with a note when results are capped at max_results.

Usage tips

• This tool uses dnfile for direct metadata access — it does not require ilspycmd to be installed.
• Use regex patterns like "https?://" or "password|secret|key" for broader security sweeps.
• Pair with decompile_assembly using show_il_code to find which methods reference the strings you discover.

Related tools

• search_fields — find constant fields and configuration values
• decompile_assembly — trace string usage in decompiled code
• get_metadata_summary — assembly overview before string searching