Import address table (Import Address Table,IAT) Used to record what programs are using DLL Which functions in .

Import name table (Import Name Table,INT)

One 、 Find the file name and RVAsec and RAWsec

Through analysis PE head , Available notepad.exe The range of each section head of the is shown in table 4-12 Shown . And analyze the table 4-13.

Two 、 analysis INT and IAT, Get the number of imported functions

Further analysis below notepad.exe Of documents INT and IAT.

With KERNEL32.dll For example , The DLL Corresponding INT Array and IAT Array in PE Medium RAW The offsets are 6B58H and 48CH.

PE The offset range of the file 6B58H~6C3FH Space preservation of INT, among IMAGE_THUNK_DATA32 The number of structures is 57.

here ：57=14 That's ok ×4+1, This is Number of imported functions

PE The offset range of the file 48CH~573H Space preservation of IAT, among IMAGE_THUNK_DATA32 The number of structures is also 57.

INT and IAT The contents are shown in the figure 4-4(a) Sum graph 4-4(b) Shown .

3、 ... and 、 Function sequence number 、 The name of the function

Then analyze INT First of all (00008024H) The point is IMAGE_IMPORT_BY_NAME The content of the structure ,
The content is in PE The offset of the file 8024H-1000H+ 400H=7424H Location .

notes ： Here is 8024, the reason being that 2480 Small end storage . Can pass LordPE Work out .

The content of this structure is shown in Figure 4-5 Shown .
among Hint Field Serial number value by 013EH, And the imported function Name The field is analyzed by the hexadecimal editor as "GetCurrentThreadId”.
It can also be analyzed in a similar way KERNEL32.dl1 All of them are notepad.exe Of the imported function Serial number and Function name .

 First function serial number （ The small end ）：013E
 First function name ：GetCurrentThreadId

Function sequence number 、 The function name can be through HXD Right click to select the range and then enter the offset obtain ：