diff --git a/BurnOutSharp.Models/PortableExecutable/Executable.cs b/BurnOutSharp.Models/PortableExecutable/Executable.cs
index d2c7b1dc..f4fe3824 100644
--- a/BurnOutSharp.Models/PortableExecutable/Executable.cs
+++ b/BurnOutSharp.Models/PortableExecutable/Executable.cs
@@ -65,10 +65,15 @@ namespace BurnOutSharp.Models.PortableExecutable
#region Named Sections
///
- /// Export table (.edata);
+ /// Export table (.edata)
///
public ExportTable ExportTable { get; set; }
+ ///
+ /// Import table (.idata)
+ ///
+ public ImportTable ImportTable { get; set; }
+
///
/// Resource directory table (.rsrc)
///
@@ -84,9 +89,6 @@ namespace BurnOutSharp.Models.PortableExecutable
// - The .debug Section
// - .debug$F (Object Only) / IMAGE_DEBUG_TYPE_FPO
// - The .drectve Section (Object Only)
- // - The .idata Section
- // - Import Lookup Table [has model, but bit-based]
- // - Import Address Table
// - The .pdata Section [Multiple formats per entry]
// - TLS Callback Functions
// - The .cormeta Section (Object Only)
diff --git a/BurnOutSharp.Models/PortableExecutable/ImportAddressTableEntry.cs b/BurnOutSharp.Models/PortableExecutable/ImportAddressTableEntry.cs
new file mode 100644
index 00000000..007fd8de
--- /dev/null
+++ b/BurnOutSharp.Models/PortableExecutable/ImportAddressTableEntry.cs
@@ -0,0 +1,24 @@
+namespace BurnOutSharp.Models.PortableExecutable
+{
+ ///
+ /// The structure and content of the import address table are identical to those of
+ /// the import lookup table, until the file is bound. During binding, the entries in
+ /// the import address table are overwritten with the 32-bit (for PE32) or 64-bit
+ /// (for PE32+) addresses of the symbols that are being imported. These addresses are
+ /// the actual memory addresses of the symbols, although technically they are still
+ /// called "virtual addresses." The loader typically processes the binding.
+ ///
+ ///
+ public class ImportAddressTableEntry
+ {
+ ///
+ /// 32-bit address of the symbol being imported
+ ///
+ public uint Address_PE32;
+
+ ///
+ /// 64-bit address of the symbol being imported
+ ///
+ public ulong Address_PE32Plus;
+ }
+}
diff --git a/BurnOutSharp.Models/PortableExecutable/ImportLookupTableEntry.cs b/BurnOutSharp.Models/PortableExecutable/ImportLookupTableEntry.cs
new file mode 100644
index 00000000..d7edd2a4
--- /dev/null
+++ b/BurnOutSharp.Models/PortableExecutable/ImportLookupTableEntry.cs
@@ -0,0 +1,36 @@
+namespace BurnOutSharp.Models.PortableExecutable
+{
+ ///
+ /// An import lookup table is an array of 32-bit numbers for PE32 or an array of
+ /// 64-bit numbers for PE32+. Each entry uses the bit-field format that is described
+ /// in the following table. In this format, bit 31 is the most significant bit for
+ /// PE32 and bit 63 is the most significant bit for PE32+. The collection of these
+ /// entries describes all imports from a given DLL. The last entry is set to zero
+ /// (NULL) to indicate the end of the table.
+ ///
+ ///
+ public class ImportLookupTableEntry
+ {
+ ///
+ /// If this bit is set, import by ordinal. Otherwise, import by name. Bit is
+ /// masked as 0x80000000 for PE32, 0x8000000000000000 for PE32+.
+ ///
+ /// Bit 31/63
+ public bool OrdinalNameFlag;
+
+ ///
+ /// A 16-bit ordinal number. This field is used only if the Ordinal/Name Flag
+ /// bit field is 1 (import by ordinal). Bits 30-15 or 62-15 must be 0.
+ ///
+ /// Bits 15-0
+ public ushort OrdinalNumber;
+
+ ///
+ /// A 31-bit RVA of a hint/name table entry. This field is used only if the
+ /// Ordinal/Name Flag bit field is 0 (import by name). For PE32+ bits 62-31
+ /// must be zero.
+ ///
+ /// Bits 30-0
+ public uint HintNameTableRVA;
+ }
+}
diff --git a/BurnOutSharp.Models/PortableExecutable/ImportTable.cs b/BurnOutSharp.Models/PortableExecutable/ImportTable.cs
new file mode 100644
index 00000000..8cb88587
--- /dev/null
+++ b/BurnOutSharp.Models/PortableExecutable/ImportTable.cs
@@ -0,0 +1,43 @@
+namespace BurnOutSharp.Models.PortableExecutable
+{
+ ///
+ /// All image files that import symbols, including virtually all executable (EXE) files,
+ /// have an .idata section. A typical file layout for the import information follows:
+ ///
+ /// - Directory Table
+ /// Null Directory Entry
+ /// - DLL1 Import Lookup Table
+ /// Null
+ /// - DLL2 Import Lookup Table
+ /// Null
+ /// - DLL3 Import Lookup Table
+ /// Null
+ /// - Hint-Name Table
+ ///
+ ///
+ public class ImportTable
+ {
+ ///
+ /// The import information begins with the import directory table, which describes the
+ /// remainder of the import information.
+ ///
+ public ImportDirectoryTableEntry[] ImportDirectoryTable;
+
+ ///
+ /// An import lookup table is an array of 32-bit numbers for PE32 or an array of 64-bit
+ /// numbers for PE32+.
+ ///
+ public ImportLookupTableEntry[,] ImportLookupTable;
+
+ ///
+ /// These addresses are the actual memory addresses of the symbols, although technically
+ /// they are still called "virtual addresses.
+ ///
+ public ImportAddressTableEntry[,] ImportAddressTable;
+
+ ///
+ /// One hint/name table suffices for the entire import section.
+ ///
+ public HintNameTableEntry[] HintNameTable;
+ }
+}