This PR fixes some issues with VMP program emulation. It has
successfully allowed programs protected by VMP 3.5 to run normally, and
it modifies the following functions:
1. Correct implementation of ProcessInstrumentationCallback
2. Add missing path check in handle_NtCreateFile
3. Fix the check in handle_NtOpenSection
4. Fix the behavioral differences between the emulator and the kernel
when the return value is an invalid pointer
5. Add printing of the content of the NtRaiseHardError message box
6. Bypass NtClose detection for VMP
When emulating `WOW64` samples sometimes you can see a garbige like
this:
```
Executing syscall: NtQueryAttributesFile (0x3D) at 0x18009dd42 via 0x100037f1c (wow64.dll)
--> Querying file attributes: \??\C:\SH╠мхЯЦэР╜р░АC:\Windows\SYSTEM32\VCRUNTIME140.dll
```
This is because of incorrect `PEB32` creation that leads to damaging
several `UNICODE_STRING` fields in `ProcessParameters`.
This PR fixes that.
This PR fixes incorrect size when using `uc_hook_add`.
`uc_hook_add`'s memory range is inclusive on both sides. So we need to
adjust an ending address to keep correct size.
This is manifested, for example, when using gdb. If a breakpoint is set
on a 1-byte instruction, you won't be able to single-step the next
instruction because that instruction also triggers the breakpoint, which
the debugger doesn't expect.
This PR fixes getting `ProcessBasicInformation`.
When emulating a program that uses
[ProcessPrng](https://learn.microsoft.com/ru-ru/windows/win32/seccng/processprng)
function from `BCryptPrimitives.dll`, an error occurs:
```
Unimplemented syscall: NtCallbackReturn - 0x5 (raw: 0x8000005)
```
`BCryptPrimitives.dll` checks whether the running process is a [secure
process](https://learn.microsoft.com/en-us/windows/win32/procthread/isolated-user-mode--ium--processes).
If it is, then `iumbase.dll` is loaded. `iumbase.dll` depends on
`iumdll.dll` that's like an `ntdll.dll` for secure processes, and it has
its own subset of system calls with different syscall numbers. So,
`0x8000005` is not `NtCallbackReturn`, it is `IumCrypto`.
But why does `BCryptPrimitives.dll` get into trouble? It calls
`NtQueryInformationProcess` with class `ProcessBasicInformation` and
`ProcessInformationLength == 0x40`. It turned out that it is a special
case and it's even documented in the aforemantioned link, look for the
definition of the function `IsSecureProcess`.
Emulated applications are currently able to access files from the host
system, rather than being restricted to the virtualized file system, by
using `Section` related Syscalls. This behavior appears to have been
introduced in:
- 2024-12-13: [Prepare better section support
(syscalls.cpp:582)](719a50444e (diff-96c7de348bdc06e650bdc371a600a91f80594d4201afd7a28ffa160fa755be9dR582))
- 2025-10-13: [Comprehensive WOW64 subsystem implementation
(section.cpp:141)](65eecf1cfd (diff-415eed3b4b314dc10cc9f7926687770be53799766bc9a4edca2a7f4a45477169R141)))
Because the emulator is [advertised for malware
analysis](https://github.com/momo5502/sogen/blob/main/README.md), this
unintended access path could be considered a security concern.
This PR only fixes two current misuses of an API that interacts with the
host system. As a long term solution, APIs that interact with host
resources should consistently use C++ types that enforce translation of
resource identifiers (e.g., file and registry paths) into their emulated
equivalents. This would help prevent future misuse and ensure that
emulated applications remain isolated from the host environment.
