EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationiatimportsapi

Import Address Table (IAT) Analysis

Reading the IAT to infer malware behaviour before execution — suspicious API patterns, what a stripped IAT means, and how to use PEStudio to map capabilities from imports alone.

Ashish Revar12 May 202615 min read2 views
Quick Bite

⚡ Quick Bite · 40s

IAT Analysis: Inferring Malware Behavior

The Import Address Table as the best window into malware behavior — how Windows populates dependencies, spotting suspicious process injection APIs, and understanding dynamic API resolution.

Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

What is the Import Address Table?

The Import Address Table (IAT) lists the external functions from Windows DLLs that the program calls. When Windows loads a PE file, it resolves the addresses of all imported functions and writes them into the IAT. The program then calls these functions through the IAT entries.

Examining the IAT reveals a great deal about a binary's intended behaviour without running it. Every imported function is a capability declaration.

Reading the IAT in PEStudio

Open any PE file in PEStudio. Navigate to the Imports tab. For each imported DLL, you see the function names. PEStudio automatically flags known suspicious functions in red.

Look for:

  • DLLs that suggest network activity (wininet.dll, ws2_32.dll)
  • DLLs that suggest process manipulation (kernel32.dll with injection APIs)
  • DLLs that suggest registry access (advapi32.dll with Reg* functions)
  • DLLs that suggest cryptography (crypt32.dll, bcrypt.dll)

Suspicious API Patterns

Imported Function(s)Behavioural Indication
CreateFileA/W, WriteFile, DeleteFileA/WFile manipulation. Dropping payloads or deleting evidence.
RegOpenKeyExA/W, RegSetValueExA/WRegistry modification. Establishing persistence via Run key.
VirtualAlloc, VirtualProtectMemory allocation with custom permissions. Strong indicator of shellcode injection or runtime unpacking.
CreateRemoteThread, WriteProcessMemoryCode injection into another process.
OpenProcess with PROCESS_ALL_ACCESSTargeting another process for injection or hollowing.
InternetOpenA, HttpSendRequestAHTTP communication. Likely contacting a C2 server.
URLDownloadToFileASingle-call downloader pattern. Downloads payload from URL.
GetAsyncKeyState, SetWindowsHookExAKeyboard monitoring. Keylogger behaviour.
IsDebuggerPresent, CheckRemoteDebuggerPresentAnti-debugging checks.
CreateProcessA/WProcess creation. May spawn cmd.exe or powershell.exe.
FindResource, LoadResource, LockResourceExtracts embedded payload from PE resources. Dropper pattern.
CryptEncrypt, CryptGenKeyCryptographic operations. May indicate ransomware.

The Stripped IAT — A Major Red Flag

A binary whose import table contains only LoadLibraryA and GetProcAddress is resolving its real imports at runtime to hide them from static analysis.

Normal binary IAT:
  kernel32.dll: CreateFileA, WriteFile, VirtualAlloc, CreateProcessA...
  wininet.dll:  InternetOpenA, HttpOpenRequestA, HttpSendRequestA...
  advapi32.dll: RegOpenKeyExA, RegSetValueExA...

Packed/obfuscated binary IAT:
  kernel32.dll: LoadLibraryA, GetProcAddress

The malware uses LoadLibraryA to load any DLL at runtime and GetProcAddress to resolve any function by name — leaving nothing visible to static analysis. This is characteristic of packed or manually-mapped executables.

Next action when you see a stripped IAT: check entropy, check section names, run DIE. The binary is almost certainly packed — unpack it before proceeding.

API Hashing

Some malware resolves imports without calling LoadLibraryA at all. It computes a hash of each API name and walks the export table of loaded DLLs to find a matching hash. No import table entry is created.

; API hashing loop (simplified)
hash_loop:
    mov  eax, [esi]          ; load current export name
    call compute_hash        ; compute custom hash of name
    cmp  eax, 0xDEADBEEF     ; compare to target hash
    je   found               ; if match, use this function address
    add  esi, 4              ; next export
    jmp  hash_loop

The hardcoded hash values (0xDEADBEEF in this example) are the only trace of the intended API call. Finding these in a disassembler requires computing the hash function in reverse — or running the sample and breaking when the hash matches.

Capability Mapping with Capa

Rather than manually reading every import, run Capa (Mandiant) on the binary:

capa suspicious.exe

Capa maps code patterns to behavioural capabilities and MITRE ATT&CK techniques:

+------------------------------------------------------+
| CAPABILITY                       | NAMESPACE          |
+------------------------------------------------------+
| delete shadow copies             | impact             |
| query registry                   | discovery          |
| communicate via HTTP             | c2                 |
| capture keystrokes               | collection         |
+------------------------------------------------------+

Capa reads more than just the IAT — it analyses code patterns and recognises capability implementations even when imports are stripped.

Practical Workflow

1. Open in PEStudio → check Imports tab
2. If IAT is stripped (only LoadLibrary + GetProcAddress):
   → check entropy → confirm packing → unpack first
3. If IAT is visible:
   → flag suspicious API groups from the table above
   → run Capa for behavioural capability summary
   → note APIs as predicted IOCs before dynamic analysis
4. Compare predicted behaviour against dynamic analysis results

Predicted behaviour from the IAT becomes a hypothesis. Dynamic analysis confirms or refutes it.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Capa — Mandiant Capability Detection

Run against any PE to get MITRE ATT&CK mapped capabilities. Works even when imports are partially stripped.

tool
MITRE ATT&CK — Windows API Technique Coverage

Browse ATT&CK techniques by tactic. Each technique lists the Windows APIs commonly used to implement it.

reference
EpochZero Article — njRAT Static Analysis Walkthrough

Practical walkthrough of IAT analysis on a real RAT sample — PE structure, .NET decompilation, and IOC extraction.

article
More articlesTest your knowledge