winapireverse-engineeringportable-executabledisassemblycoff

What's the difference between the import table, import adress table, and import name table?

When disassembling/dumping exe I get three tables in the .idata import section:

I understand what the IAT and INT are, but what is IT more exactly?

Could someone provide explanation, as various PE tutorials are confusing. I don't exactly understand what those official structure names they describe map here on this specific data.

Hints/Answers here would be helpful

Example PE File Section

SECTION .idata  align=4 noexecute                       ; section number 3, data 

Import_table:                                           ; dword 
    db 50H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403000 _ P0...... 
    db 00H, 00H, 00H, 00H, 0ACH, 30H, 00H, 00H      ; 00403008 _ .....0.. 
    db 68H, 30H, 00H, 00H, 58H, 30H, 00H, 00H       ; 00403010 _ h0..X0.. 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403018 _ ........ 
    db 0C0H, 30H, 00H, 00H, 70H, 30H, 00H, 00H      ; 00403020 _ .0..p0.. 
    db 60H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403028 _ `0...... 
    db 00H, 00H, 00H, 00H, 0D0H, 30H, 00H, 00H      ; 00403030 _ .....0.. 
    db 78H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403038 _ x0...... 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403040 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403048 _ ........ 
    db 80H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403050 _ .0...... 
    db 8EH, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403058 _ .0...... 
    db 98H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403060 _ .0...... 

Import_address_table:                                   ; dword 
imp_ExitProcess:                                        ; import from        KERNEL32.dll  
    dd 00003080H, 00000000H                         ; 00403068 _ 12416 0

imp_printf:                                             ; import from  msvcrt.dll 
    dd 0000308EH, 00000000H                         ; 00403070 _ 0000308E 00000000 

imp_MessageBoxA:                                        ; import from USER32.dll 
    dd 00003098H, 00000000H                         ; 00403078 _ 00003098 00000000 

Import_name_table:                                      ; byte 
    db 17H, 01H, 45H, 78H, 69H, 74H, 50H, 72H       ; 00403080 _ ..ExitPr 
    db 6FH, 63H, 65H, 73H, 73H, 00H, 0B1H, 02H      ; 00403088 _ ocess... 
    db 70H, 72H, 69H, 6EH, 74H, 66H, 00H, 00H       ; 00403090 _ printf.. 
    db 0B2H, 01H, 4DH, 65H, 73H, 73H, 61H, 67H      ; 00403098 _ ..Messag 
    db 65H, 42H, 6FH, 78H, 41H, 00H, 00H, 00H       ; 004030A0 _ eBoxA... 
    db 00H, 30H, 00H, 00H, 4BH, 45H, 52H, 4EH       ; 004030A8 _ .0..KERN 
    db 45H, 4CH, 33H, 32H, 2EH, 64H, 6CH, 6CH       ; 004030B0 _ EL32.dll 
    db 00H, 00H, 00H, 00H, 14H, 30H, 00H, 00H       ; 004030B8 _ .....0.. 
    db 6DH, 73H, 76H, 63H, 72H, 74H, 2EH, 64H       ; 004030C0 _ msvcrt.d 
    db 6CH, 6CH, 00H, 00H, 28H, 30H, 00H, 00H       ; 004030C8 _ ll..(0.. 
    db 55H, 53H, 45H, 52H, 33H, 32H, 2EH, 64H       ; 004030D0 _ USER32.d 
    db 6CH, 6CH, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030D8 _ ll...... 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030E0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030E8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030F0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030F8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403100 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403108 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403110 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403118 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403120 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403128 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403130 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403138 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403140 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403148 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403150 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403158 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403160 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403168 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403170 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403178 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403180 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403188 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403190 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403198 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031A0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031A8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031B0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031B8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031C0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031C8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031D0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031D8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031E0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031E8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031F0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031F8 _ ........
Solution

  • Import Table

    From the manual section 6.4.1:

    The import information begins with the Import Directory Table, which describes the remainder of the import information. The Import Directory Table contains address information that is used to resolve fix-up references to the entry points within a DLL image.

    Each import directory table entry has the form

    Offset    Size    Field
0         4       Import Lookup Table RVA
4         4       Time/Date Stamp
8         4       Forwarder Chain
12        4       Name RVA
16        4       Import Address Table RVA

    Note: since DLLs can be loaded at different memory locations RVA stands for Relative Virtual Address, which is the address of the content, once loaded, relative to the image base

    Import Lookup Table

    Again from the documentation:

    The collection of these entries describes all imports from the image to a given DLL.

    These fields contain information about how the import is to be processed (ordinal vs name). If it specifies import by ordinal, then the rest of the entry in the table contains the ordinal number, otherwise it contains a RVA to the Hint/Name Table entry.

    Hint/Name Table

    The entries in the Hint/Name table are of the following format:

    Offset    Size    Field    Notes
0         2       Hint     Index into the Export Name Pointer Table
2         varies  Name     Null terminated ASCII string
*         0 or 1  Pad      Each entry must be on an even boundary

    Import Address Table

    The structure and content of the Import Address Table are identical to that of the Import Lookup Table, until the file is bound. During binding, the entries in the Import Address Table are overwritten with the 32-bit (or 64-bit for PE32+) addresses of the symbols being imported: these addresses are the actual memory addresses of the symbols themselves (although technically, they are still called “virtual addresses”). The processing of binding is typically performed by the loader.

    References

    1. Wikipedia entry on Portable Executable
    2. Official Documentation
    3. Ero Carrera's helpful diagrams

    All quotes and tables above are from the Microsoft PE/COFF manual listed in reference 2.