What's the difference between the import table, import adress table, and import name table?

Question

When disassembling/dumping exe I get three tables in the .idata import section:

• import table (IT)
• import adress table (IAT)
• import name table (INT)

I understand what the IAT and INT are, but what is IT more exactly?

Could someone provide explanation, as various PE tutorials are confusing. I don't exactly understand what those official structure names they describe map here on this specific data.

Hints/Answers here would be helpful

Example PE File Section

SECTION .idata  align=4 noexecute                       ; section number 3, data 

Import_table:                                           ; dword 
    db 50H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403000 _ P0...... 
    db 00H, 00H, 00H, 00H, 0ACH, 30H, 00H, 00H      ; 00403008 _ .....0.. 
    db 68H, 30H, 00H, 00H, 58H, 30H, 00H, 00H       ; 00403010 _ h0..X0.. 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403018 _ ........ 
    db 0C0H, 30H, 00H, 00H, 70H, 30H, 00H, 00H      ; 00403020 _ .0..p0.. 
    db 60H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403028 _ `0...... 
    db 00H, 00H, 00H, 00H, 0D0H, 30H, 00H, 00H      ; 00403030 _ .....0.. 
    db 78H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403038 _ x0...... 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403040 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403048 _ ........ 
    db 80H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403050 _ .0...... 
    db 8EH, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403058 _ .0...... 
    db 98H, 30H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403060 _ .0...... 

Import_address_table:                                   ; dword 
imp_ExitProcess:                                        ; import from        KERNEL32.dll  
    dd 00003080H, 00000000H                         ; 00403068 _ 12416 0

imp_printf:                                             ; import from  msvcrt.dll 
    dd 0000308EH, 00000000H                         ; 00403070 _ 0000308E 00000000 

imp_MessageBoxA:                                        ; import from USER32.dll 
    dd 00003098H, 00000000H                         ; 00403078 _ 00003098 00000000 

Import_name_table:                                      ; byte 
    db 17H, 01H, 45H, 78H, 69H, 74H, 50H, 72H       ; 00403080 _ ..ExitPr 
    db 6FH, 63H, 65H, 73H, 73H, 00H, 0B1H, 02H      ; 00403088 _ ocess... 
    db 70H, 72H, 69H, 6EH, 74H, 66H, 00H, 00H       ; 00403090 _ printf.. 
    db 0B2H, 01H, 4DH, 65H, 73H, 73H, 61H, 67H      ; 00403098 _ ..Messag 
    db 65H, 42H, 6FH, 78H, 41H, 00H, 00H, 00H       ; 004030A0 _ eBoxA... 
    db 00H, 30H, 00H, 00H, 4BH, 45H, 52H, 4EH       ; 004030A8 _ .0..KERN 
    db 45H, 4CH, 33H, 32H, 2EH, 64H, 6CH, 6CH       ; 004030B0 _ EL32.dll 
    db 00H, 00H, 00H, 00H, 14H, 30H, 00H, 00H       ; 004030B8 _ .....0.. 
    db 6DH, 73H, 76H, 63H, 72H, 74H, 2EH, 64H       ; 004030C0 _ msvcrt.d 
    db 6CH, 6CH, 00H, 00H, 28H, 30H, 00H, 00H       ; 004030C8 _ ll..(0.. 
    db 55H, 53H, 45H, 52H, 33H, 32H, 2EH, 64H       ; 004030D0 _ USER32.d 
    db 6CH, 6CH, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030D8 _ ll...... 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030E0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030E8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030F0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004030F8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403100 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403108 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403110 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403118 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403120 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403128 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403130 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403138 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403140 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403148 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403150 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403158 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403160 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403168 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403170 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403178 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403180 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403188 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403190 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 00403198 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031A0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031A8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031B0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031B8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031C0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031C8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031D0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031D8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031E0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031E8 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031F0 _ ........ 
    db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H       ; 004031F8 _ ........ 

Answer 1

Import Table

From the manual section 6.4.1:

The import information begins with the Import Directory Table, which describes the remainder of the import information. The Import Directory Table contains address information that is used to resolve fix-up references to the entry points within a DLL image.

Each import directory table entry has the form

Offset    Size    Field
0         4       Import Lookup Table RVA
4         4       Time/Date Stamp
8         4       Forwarder Chain
12        4       Name RVA
16        4       Import Address Table RVA

Note: since DLLs can be loaded at different memory locations RVA stands for Relative Virtual Address, which is the address of the content, once loaded, relative to the image base

Import Lookup Table

Again from the documentation:

The collection of these entries describes all imports from the image to a given DLL.

These fields contain information about how the import is to be processed (ordinal vs name). If it specifies import by ordinal, then the rest of the entry in the table contains the ordinal number, otherwise it contains a RVA to the Hint/Name Table entry.

Hint/Name Table

The entries in the Hint/Name table are of the following format:

Offset    Size    Field    Notes
0         2       Hint     Index into the Export Name Pointer Table
2         varies  Name     Null terminated ASCII string
*         0 or 1  Pad      Each entry must be on an even boundary

Import Address Table

The structure and content of the Import Address Table are identical to that of the Import Lookup Table, until the file is bound. During binding, the entries in the Import Address Table are overwritten with the 32-bit (or 64-bit for PE32+) addresses of the symbols being imported: these addresses are the actual memory addresses of the symbols themselves (although technically, they are still called “virtual addresses”). The processing of binding is typically performed by the loader.

References

1. Wikipedia entry on Portable Executable
2. Official Documentation
3. Ero Carrera's helpful diagrams

---

All quotes and tables above are from the Microsoft PE/COFF manual listed in reference 2.

Answer 2

Let's begin with a strongly simplified picture of the two following tables:

This picture shows the situation in your executable file on disk. The tables have the totally identical content, with the exactly same lists of the API function names and in the exactly same order.

(OK, you may ask: “How is possible to place such long names into 4 bytes?” Continue reading to obtain the answer; as I wrote, we begin with a simplified picture.)

---

Now the loader loads your executable into memory, so initially these tables copied into memory are still identical. But:

• After loading / mapping all required DLLs (Dynamic-Link Libraries) into memory, it already knows the addresses of all your imported function, so

• it replaces the names of your imported function in the second table (Import Address Table) with their addresses (only then the name “Import Address Table” corresponds to its contents).

---

So the situation in memory becomes different:

---

Now the answer of (my own) question above:

How is possible to place such long names into 4 bytes?

It is not possible, of course. In the Import Lookup Table are only pointers (addresses) to names.

And here comes into play the third table, Import Hint/Name table, the target of these pointers, so the reality (instead of the simplification in the first 2 pictures) seems like this (I used the same addresses as those in your listing):

---

Up to here I answered only my own question, it's time to answer your one:

I understand what the IAT and INT are, but what is IT more exactly?

Import Table, more precisely Import Directory Table, is an array (a table) of entries, one entry (a row) for every imported library (in your case 3 libraries, so the table consists of 3 rows).

A simplified picture of it is here:

Every row consist of 5 double words (pointers). For us are important only 3 of them, the first (a pointer to the ILT), the last (a pointer to the IAT), and the last but one (identifying the row by the name of DLL; so it's a pointer to the DLL's name in the Hint/Name table).

The cooperation of the Import Directory Table with other two tables looks like this:

(In this picture I omitted the cooperation with a third table, already mentioned Hint/Name Table.)

---

Note: I intentionally omitted zero-filled separating rows in my pictures, and I didn't deal with imports by ordinal (for the sake of simplicity to emphasize ideas).