fix: use memory-mapped image for API module decoy PEs

The ApiModuleLoader was writing raw PE file bytes into emulated memory,
but PE sections have different file offsets vs virtual addresses. Shellcode
that walks the PEB InInitializationOrderModuleList to find kernel32 and
then parses its export directory would read garbage because the .edata
section data was at its file offset rather than its virtual address.

Use pefile's get_memory_mapped_image() so sections are placed at their
correct virtual addresses, matching how Windows loads DLLs.

Also fixes Process.ldr_entries being a shared class-level mutable default
instead of a per-instance list, and corrects the test config module order
to list ntdll before kernel32 (matching the default config).

Closes #45

remove unnecessary test file

Author: williballenthin

speakeasy/windows/objman.py

@@ -477,6 +477,7 @@ def __init__(self, emu, pe=None, user_modules=None, name="", path="", cmdline=""
             list_entry = self.address + 0x188
             self.emu.mem_write(list_entry, list_entry.to_bytes(8, "little"))
             self.emu.mem_write(list_entry + 8, list_entry.to_bytes(8, "little"))
+        self.ldr_entries: list[LdrDataTableEntry] = []
         self.name: str = name
         self.base: int = base
         self.pid: int = self.id

tests/test.json

@@ -296,16 +296,16 @@
         ],
 
         "user_modules": [
-                {
-                    "name": "kernel32",
-                    "base_addr": "0x77000000",
-                    "path": "C:\\Windows\\system32\\kernel32.dll"
-                },
                 {
                     "name": "ntdll",
                     "base_addr": "0x7C000000",
                     "path": "C:\\Windows\\system32\\ntdll.dll"
                 },
+                {
+                    "name": "kernel32",
+                    "base_addr": "0x77000000",
+                    "path": "C:\\Windows\\system32\\kernel32.dll"
+                },
 
                 {
                     "name": "ws2_32",