Sometimes if I’m getting desperate and am running out of information from a dump file, I’ll run Strings on it and see if there are any interesting strings in the image. While I usually don’t know what I’m looking for when I start this excercise, generally what I find is fairly benign: machine names, URLs, PATH values, etc.
However, today I ran this on a dump from an application and I found art! A nice diversion from my normal activities:
And there were many others as well. This dump happened to come from a VPN application, so I suspect that these were put there on purpose to thwart someone from finding any interesting strings in their image. The idea being that if you put all kinds of bogus strings in your image then the amount of time it takes for someone to find an interesting string goes up. I guess we poor analysts are assumed guilty until proven innocent…
A couple of comments cleared up the mystery and it turned out to be nothing bad at all (I’m clearly too paranoid). From Paolo Bonzini:
Definitely looks like XPM. XPM format images are designed to be #included in C source code (!), which would explain why you have no double quotes. The \n at the end of each scan line would be an artifact of strings, which found a NUL terminator and started a new printable string.