Not bad
However, the two bytes before the API function name is the hint, and not the Ordinal -
Offset
Size
Field
Description
0
2
Hint
Index into the Export Name Pointer Table. A match is attempted first with this value. If it fails, a binary search is performed on the DLL's Export Name Pointer Table.
2
variable
Name
ASCII string containing name to import. This is the string that must be matched to the public name in the DLL. This string is case sensitive and terminated by a null byte.
*
0 or 1
Pad
A trailing zero pad byte appears after the trailing null byte, if necessary, to align the next entry on an even boundary.
Other than that, it seems ok. I've only had a quick glance at it tho'
In RTA, I load the IAT into memory and go through each DLL, making a note of all the addresses of functions in a mapped array, so that if I see a direct (or in-direct jump), I can immediately display the api name and function name without doing a lot of searching.