The change from fixed size 0xF0 to sizeof(PS_SYSTEM_DLL_INIT_BLOCK)
(which is 0x128 for V3 struct) causes memory corruption when using
Windows 10 system files.
**Before (working):**
```
constexpr uint64_t symtem_dll_init_block_fix_size = 0xF0; // Wine or WIN10
init_block.Size = symtem_dll_init_block_fix_size;
// ...
this->memory_->write_memory(ldr_init_block_addr, &init_block, symtem_dll_init_block_fix_size);
```
**After (broken):**
```
constexpr uint64_t system_dll_init_block_size = sizeof(PS_SYSTEM_DLL_INIT_BLOCK); // = 0x128
init_block.Size = system_dll_init_block_size;
// ...
this->memory_->write_memory(ldr_init_block_addr, &init_block, write_size);
```
**Symptom:**
```
Executing syscall: NtQueryVirtualMemory (0x23) at 0x18009d442 via 0x1800d4920 (ntdll.dll)
Interrupt 41
Suspicious: Breakpoint at 0x1800ac7d8 (via 0x1800ac7d5)
Executing syscall: NtQueryVirtualMemory (0x23) at 0x18009d442 via 0x180033579 (ntdll.dll)
Executing syscall: NtQueryVirtualMemory (0x23) at 0x18009d442 via 0x180033579 (ntdll.dll)
Executing syscall: NtQueryVirtualMemory (0x23) at 0x18009d442 via 0x180033579 (ntdll.dll)
Executing syscall: NtQueryVirtualMemory (0x23) at 0x18009d442 via 0x180033579 (ntdll.dll)
Bad address for memory image request: 0x5f0000
Executing syscall: NtRaiseException (0x168) at 0x18009fcd2 via 0x1800a0ee3 (ntdll.dll)
!!! NtRaiseException: Code=0x80000003, Flags=0x0, Address=0x1800ac7d7, NumParams=0, HandleException=0
Emulation terminated without status!
```
**Root cause:** PS_SYSTEM_DLL_INIT_BLOCK has different sizes across
Windows versions. It needs to detect the Windows version from ntdll and
use the appropriate size. I will submit a PR to fix this issue soon.
Fixes#641
This PR is my attempt to add support for user32 objects and the user32
handle table. I also added a test, but as expected, it fails on Windows
2022. I’ll try to fix that another day, but feel free to review the code
😄
