This flag is needed to suport emulation of .net executables
that don't have an entry point set in PE header. This applies
to both PE32 and PE64 executables. If InitialThread is set
the loader substitutes an entry point of the .net executable
with mscoree.dll!_CorExeMain.
When emulating `WOW64` samples sometimes you can see a garbige like
this:
```
Executing syscall: NtQueryAttributesFile (0x3D) at 0x18009dd42 via 0x100037f1c (wow64.dll)
--> Querying file attributes: \??\C:\SH╠мхЯЦэР╜р░АC:\Windows\SYSTEM32\VCRUNTIME140.dll
```
This is because of incorrect `PEB32` creation that leads to damaging
several `UNICODE_STRING` fields in `ProcessParameters`.
This PR fixes that.
This PR fixes incorrect size when using `uc_hook_add`.
`uc_hook_add`'s memory range is inclusive on both sides. So we need to
adjust an ending address to keep correct size.
This is manifested, for example, when using gdb. If a breakpoint is set
on a 1-byte instruction, you won't be able to single-step the next
instruction because that instruction also triggers the breakpoint, which
the debugger doesn't expect.
This PR fixes getting `ProcessBasicInformation`.
When emulating a program that uses
[ProcessPrng](https://learn.microsoft.com/ru-ru/windows/win32/seccng/processprng)
function from `BCryptPrimitives.dll`, an error occurs:
```
Unimplemented syscall: NtCallbackReturn - 0x5 (raw: 0x8000005)
```
`BCryptPrimitives.dll` checks whether the running process is a [secure
process](https://learn.microsoft.com/en-us/windows/win32/procthread/isolated-user-mode--ium--processes).
If it is, then `iumbase.dll` is loaded. `iumbase.dll` depends on
`iumdll.dll` that's like an `ntdll.dll` for secure processes, and it has
its own subset of system calls with different syscall numbers. So,
`0x8000005` is not `NtCallbackReturn`, it is `IumCrypto`.
But why does `BCryptPrimitives.dll` get into trouble? It calls
`NtQueryInformationProcess` with class `ProcessBasicInformation` and
`ProcessInformationLength == 0x40`. It turned out that it is a special
case and it's even documented in the aforemantioned link, look for the
definition of the function `IsSecureProcess`.
