I recently noticed that the 32-bit version of Cheat Engine has its Thread Environment Block at a higher address than what is available to the 32-bit address space. To my knowledge user space is only accessible up to address 0x7FFFFFFF, but this TEB was located at 0xFFFDB000. Every TEB I ever saw started at 0x7EFD8000 or 0x7EFDB000 and subsequent TEBs continued downwards. I assume since Cheat Engine is a memory scanner it is to simplify the scanning process. The Process Environment Block had also been moved. Can anyone please tell me how this is possible? Is this a setting in the Portable Executable, by any chance?
for 32 bit programs available addresses from 0x00000000 to 0xFFFFFFFF but on x86 platform historical [0x00000000, 0x7FFFFFFF] was user space and [0x80000000, 0xFFFFFFFF] kernel space. but on x64, where 32bit apps run in wow64 subsystem this already not true - all 32bit range - [0x80000000, 0xFFFFFFFF] is user space. but for compatible reason system anyway restrict user address space of wow64 bit apps to 2GB [0x00000000, 0x7FFFFFFF] by default. for break this and have 4GB space need use flag
IMAGE_FILE_LARGE_ADDRESS_AWARE The application can handle addresses larger than 2 GB. in IMAGE_FILE_HEADER.Characteristics