Skip to content
Log in

Import Address Table (IAT)

Definition

A section of the PE header that lists every external DLL and the functions the executable calls from each. A malware sample's IAT reveals its intended capabilities: calls to CreateRemoteThread suggest process injection; calls to CryptEncrypt suggest ransomware behaviour; calls to InternetOpen suggest network communication.

Related terms

Cryptographic hash
A fixed-length digest produced from a file's bytes by an algorithm such as MD5 (128-bit), SHA-1 (160-bit), or SHA-256 (256-bit). Identical files...
Disassembly
The process of converting raw binary machine code back into human-readable assembly language instructions. Disassembly is always achievable from a binary, unlike...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Packer / packing
A technique in which the original malware code is compressed or encrypted and wrapped in a stub loader that decompresses or decrypts...
Portable Executable (PE)
The binary file format used by Windows executables (.exe), dynamic-link libraries (.dll), and drivers (.sys). The PE header contains a structured metadata...

Explained in

  • Static Malware AnalysisA section of the PE header that lists every external DLL and the functions the executable calls from each. A malware sample's IAT reveals its intended capabili...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account