Question : Checking the application

I know this is impossible or may not, like they said it is.

Kernel32.dll has a function FindFirstFileA with an RVA/EntryPoint of 00013559h.

I would like to know if the application has a block address of 00013559h and is using the function FindFirstFileA even it was compressed by upx or any compressor.

The application that I am analyzing/scanning is not running or launched in the memory/computer.

What are the steps to be doned in order to succed this test?

I am only giving only 50 points for this question, and raise it, if answered is fine with me.

Answer : Checking the application

The application can use FindFirst via static binding or dynamic binding. If it's static binding you can find FindFirstFile function in the import section of application header.

If it's dynamic binding - it's not easy. You have to analyze the code and data sections. At least you can find FindFirstFile entry (btw, it may be unicode). Then you can try to find the code that works with this entry.

What is the exe file is compressed? I'm afraid you have to detect that and decompress it then

Random Solutions

get-wmiobject error - Powershell

Cisco VPN client for Windows, use both RSA SecurID soft token and hard token

Vista Ultimate clone from HP to HP

HTC Touch 3G: How can I really upgrade WM6.1 to WM6.5 and/or porting to latest Android?

Microsoft VPN not connecting on some computers

Windows Server 2008 Fax Server

Facing issues in OCS federation..

Can you tell what Server a Backup Exec agent was pashed out from

DHCP Client wont AutoStart