From 92ae0058c65260150b1b4fa9c9c2ea335805848f Mon Sep 17 00:00:00 2001
From: Nukem <Nukem@outlook.com>
Date: Sun, 24 Jan 2016 17:18:29 -0500
Subject: [PATCH] DBG: MemDecodePointer (RtlDecodePointer)

---
 src/dbg/memory.cpp | 29 +++++++++++++++++++++++++++++
 src/dbg/memory.h   |  3 ++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/dbg/memory.cpp b/src/dbg/memory.cpp
index 6dfe200c..80348f55 100644
--- a/src/dbg/memory.cpp
+++ b/src/dbg/memory.cpp
@@ -607,4 +607,33 @@ bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<Patte
         GuiReferenceReloadData();
     }
     return true;
+}
+
+bool MemDecodePointer(duint* Pointer)
+{
+    // Decode a pointer that has been encoded with a special "process cookie"
+    // http://doxygen.reactos.org/dd/dc6/lib_2rtl_2process_8c_ad52c0f8f48ce65475a02a5c334b3e959.html
+    typedef NTSTATUS(NTAPI * pfnNtQueryInformationProcess)(
+        IN  HANDLE ProcessHandle,
+        IN  LONG ProcessInformationClass,
+        OUT PVOID ProcessInformation,
+        IN  ULONG ProcessInformationLength,
+        OUT PULONG ReturnLength
+    );
+
+    static auto NtQIP = (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
+
+    // Verify
+    if(!NtQIP || !Pointer)
+        return false;
+
+    // Query the kernel for XOR key
+    ULONG cookie;
+
+    if(NtQIP(fdProcessInfo->hProcess, /* ProcessCookie */36, &cookie, sizeof(ULONG), nullptr) < 0)
+        return false;
+
+    // XOR pointer with key
+    *Pointer = (duint)((ULONG_PTR)(*Pointer) ^ cookie);
+    return true;
 }
\ No newline at end of file
diff --git a/src/dbg/memory.h b/src/dbg/memory.h
index 1f5e8658..6fddbf0c 100644
--- a/src/dbg/memory.h
+++ b/src/dbg/memory.h
@@ -37,4 +37,5 @@ bool MemGetPageRights(duint Address, char* Rights);
 bool MemPageRightsToString(DWORD Protect, char* Rights);
 bool MemPageRightsFromString(DWORD* Protect, const char* Rights);
 bool MemFindInPage(SimplePage page, duint startoffset, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults);
-bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults, bool progress = true);
\ No newline at end of file
+bool MemFindInMap(const std::vector<SimplePage> & pages, const std::vector<PatternByte> & pattern, std::vector<duint> & results, duint maxresults, bool progress = true);
+bool MemDecodePointer(duint* Pointer);
\ No newline at end of file