How do I know when the IMAGE_THUNK_DATA array terminates?

Question

The IMAGE_IMPORT_DESCRIPTOR array terminates when an IMAGE_IMPORT_DESCRIPTOR structure is filled with all zeros.

Each IMAGE_IMPORT_DESCRIPTOR struct has 2 members, OriginalFirstThunk and FirstThunk which contain an RVA to parallel IMAGE_THUNK_DATA arrays.

Does the IMAGE_THUNK_DATA array get terminated with an IMAGE_THUNK_DATA struct that is filled with zeros at the end too?

Answer 1

This Matt Pietrek article has the information you need:

Each IMAGE_IMPORT_DESCRIPTOR typically points to two essentially identical arrays. These arrays have been called by several names, but the two most common names are the Import Address Table (IAT) and the Import Name Table (INT). Figure 6 shows an executable importing some APIs from USER32.DLL.

Both arrays have elements of type IMAGE_THUNK_DATA, which is a pointer-sized union. Each IMAGE_THUNK_DATA element corresponds to one imported function from the executable. The ends of both arrays are indicated by an IMAGE_THUNK_DATA element with a value of zero.