When emulating `WOW64` samples sometimes you can see a garbige like
this:
```
Executing syscall: NtQueryAttributesFile (0x3D) at 0x18009dd42 via 0x100037f1c (wow64.dll)
--> Querying file attributes: \??\C:\SH╠мхЯЦэР╜р░АC:\Windows\SYSTEM32\VCRUNTIME140.dll
```
This is because of incorrect `PEB32` creation that leads to damaging
several `UNICODE_STRING` fields in `ProcessParameters`.
This PR fixes that.
This PR fixes incorrect size when using `uc_hook_add`.
`uc_hook_add`'s memory range is inclusive on both sides. So we need to
adjust an ending address to keep correct size.
This is manifested, for example, when using gdb. If a breakpoint is set
on a 1-byte instruction, you won't be able to single-step the next
instruction because that instruction also triggers the breakpoint, which
the debugger doesn't expect.
This PR fixes getting `ProcessBasicInformation`.
When emulating a program that uses
[ProcessPrng](https://learn.microsoft.com/ru-ru/windows/win32/seccng/processprng)
function from `BCryptPrimitives.dll`, an error occurs:
```
Unimplemented syscall: NtCallbackReturn - 0x5 (raw: 0x8000005)
```
`BCryptPrimitives.dll` checks whether the running process is a [secure
process](https://learn.microsoft.com/en-us/windows/win32/procthread/isolated-user-mode--ium--processes).
If it is, then `iumbase.dll` is loaded. `iumbase.dll` depends on
`iumdll.dll` that's like an `ntdll.dll` for secure processes, and it has
its own subset of system calls with different syscall numbers. So,
`0x8000005` is not `NtCallbackReturn`, it is `IumCrypto`.
But why does `BCryptPrimitives.dll` get into trouble? It calls
`NtQueryInformationProcess` with class `ProcessBasicInformation` and
`ProcessInformationLength == 0x40`. It turned out that it is a special
case and it's even documented in the aforemantioned link, look for the
definition of the function `IsSecureProcess`.
Emulated applications are currently able to access files from the host
system, rather than being restricted to the virtualized file system, by
using `Section` related Syscalls. This behavior appears to have been
introduced in:
- 2024-12-13: [Prepare better section support
(syscalls.cpp:582)](719a50444e (diff-96c7de348bdc06e650bdc371a600a91f80594d4201afd7a28ffa160fa755be9dR582))
- 2025-10-13: [Comprehensive WOW64 subsystem implementation
(section.cpp:141)](65eecf1cfd (diff-415eed3b4b314dc10cc9f7926687770be53799766bc9a4edca2a7f4a45477169R141)))
Because the emulator is [advertised for malware
analysis](https://github.com/momo5502/sogen/blob/main/README.md), this
unintended access path could be considered a security concern.
This PR only fixes two current misuses of an API that interacts with the
host system. As a long term solution, APIs that interact with host
resources should consistently use C++ types that enforce translation of
resource identifiers (e.g., file and registry paths) into their emulated
equivalents. This would help prevent future misuse and ensure that
emulated applications remain isolated from the host environment.
Adds default constructor to `emulator_object` for optional member
deserialization.
Restores `memory_interface` pointer for WOW64 structures after
deserialization.
