DBG: MemDecodePointer (RtlDecodePointer)

src/dbg/memory.cpp

@@ -607,4 +607,33 @@ bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<Patte
         GuiReferenceReloadData();
     }
     return true;
+}
+
+bool MemDecodePointer(duint* Pointer)
+{
+    // Decode a pointer that has been encoded with a special "process cookie"
+    // http://doxygen.reactos.org/dd/dc6/lib_2rtl_2process_8c_ad52c0f8f48ce65475a02a5c334b3e959.html
+    typedef NTSTATUS(NTAPI * pfnNtQueryInformationProcess)(
+        IN  HANDLE ProcessHandle,
+        IN  LONG ProcessInformationClass,
+        OUT PVOID ProcessInformation,
+        IN  ULONG ProcessInformationLength,
+        OUT PULONG ReturnLength
+    );
+
+    static auto NtQIP = (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
+
+    // Verify
+    if(!NtQIP || !Pointer)
+        return false;
+
+    // Query the kernel for XOR key
+    ULONG cookie;
+
+    if(NtQIP(fdProcessInfo->hProcess, /* ProcessCookie */36, &cookie, sizeof(ULONG), nullptr) < 0)
+        return false;
+
+    // XOR pointer with key
+    *Pointer = (duint)((ULONG_PTR)(*Pointer) ^ cookie);
+    return true;
 }

src/dbg/memory.h

@@ -37,4 +37,5 @@ bool MemGetPageRights(duint Address, char* Rights);
 bool MemPageRightsToString(DWORD Protect, char* Rights);
 bool MemPageRightsFromString(DWORD* Protect, const char* Rights);
 bool MemFindInPage(SimplePage page, duint startoffset, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults);
-bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults, bool progress = true);
+bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults, bool progress = true);
+bool MemDecodePointer(duint* Pointer);