Someone explain why the next code returns a pointer inside ntdll.dll?
GetProcAddress(LoadLibraryA("kernel32.dll"), "EncodePointer");
GetProcAddress(LoadLibraryA("kernel32.dll"), "DecodePointer");
PS: If call the function pointed by kernel32's export table a breakpoint is thrown.
This is a simple case of export forwarding, as described in one of Matt Pietrek's excellent MSDN magazine articles, An In-Depth Look into the Win32 Portable Executable File Format, Part 2.
You can verify this yourself with a tool like Dependency Walker or dumpbin.
dumpbin /exports kernel32.dll | grep codePointer
205 CC DecodePointer (forwarded to NTDLL.RtlDecodePointer)
240 EF EncodePointer (forwarded to NTDLL.RtlEncodePointer)