0

I recently noticed that the 32-bit version of Cheat Engine has its Thread Environment Block at a higher address than what is available to the 32-bit address space. To my knowledge user space is only accessible up to address 0x7FFFFFFF, but this TEB was located at 0xFFFDB000. Every TEB I ever saw started at 0x7EFD8000 or 0x7EFDB000 and subsequent TEBs continued downwards. I assume since Cheat Engine is a memory scanner it is to simplify the scanning process. The Process Environment Block had also been moved. Can anyone please tell me how this is possible? Is this a setting in the Portable Executable, by any chance?

Mikubyte
  • 457
  • 1
  • 5
  • 12
  • in wow64 process `FFFDB000` is possible and correct address – RbMm Jul 18 '17 at 23:40
  • @RbMm It is indeed a WOW64 process. I've never ever seen this happen to any other TEB, though. They always seem to start at 0x7EFD8000 or 0x7EFDB000. What makes this program so special, you think? – Mikubyte Jul 18 '17 at 23:42
  • @RbMm I'm using Win7 x64. – Mikubyte Jul 18 '17 at 23:43
  • really for 32 bit space available all addresses from 0 to `0xffffffff` simply for x86 windows from `0x80000000` begin kernel space, while in x64 windows(wow64 processes) - all this space - is user mode process space. and teb can be at any page aligned address – RbMm Jul 18 '17 at 23:49
  • i look on win7 - this is usual sitiation for wow64 processes - where teb and peb placed. so nothing special in your process. nobody move teb or ped. system allocate it at this address – RbMm Jul 18 '17 at 23:52
  • @RbMm I'm with you. I just find it very peculiar that this program always has its TEB at this exact address (0xFFFDB000), yet if I run another program which has a larger memory footprint it still gets the TEB at 0x7EFD8000. My guess is that the program somehow asks for the system allocations to be moved further up. – Mikubyte Jul 18 '17 at 23:53
  • this is feature of win7. not only related to this program – RbMm Jul 18 '17 at 23:55
  • @RbMm Sorry, I don't understand what you mean. Don't you find it suspicious it always happens to the same program but no other programs? – Mikubyte Jul 19 '17 at 00:00
  • i just look on win7 x64 wow64 process - here also teb at `FFFDB000` address. nothing suspicious – RbMm Jul 19 '17 at 00:01
  • @RbMm Did you try a random program or Cheat Engine? – Mikubyte Jul 19 '17 at 00:03
  • 1
    i try random program – RbMm Jul 19 '17 at 00:03
  • @RbMm Crap. Windows strikes again. Thanks. – Mikubyte Jul 19 '17 at 00:09
  • 1
    this is for files which have flag `IMAGE_FILE_LARGE_ADDRESS_AWARE` in `IMAGE_FILE_HEADER.Characteristics` – RbMm Jul 19 '17 at 00:11
  • @RbMm Thanks, it was exactly something like this I was looking for. Just to be sure, then this must mean both Cheat Engine and the program you tried used this PE characteristic, yes? – Mikubyte Jul 19 '17 at 00:15
  • 1
    yes. programs without this flag limited to 0x80000000 – RbMm Jul 19 '17 at 00:15
  • @RbMm Please write an answer so I can upvote you. – Mikubyte Jul 19 '17 at 00:17

1 Answers1

1

for 32 bit programs available addresses from 0x00000000 to 0xFFFFFFFF but on x86 platform historical [0x00000000, 0x7FFFFFFF] was user space and [0x80000000, 0xFFFFFFFF] kernel space. but on x64, where 32bit apps run in wow64 subsystem this already not true - all 32bit range - [0x80000000, 0xFFFFFFFF] is user space. but for compatible reason system anyway restrict user address space of wow64 bit apps to 2GB [0x00000000, 0x7FFFFFFF] by default. for break this and have 4GB space need use flag

IMAGE_FILE_LARGE_ADDRESS_AWARE The application can handle addresses larger than 2 GB. in IMAGE_FILE_HEADER.Characteristics

On 64-bit editions of Windows, 32-bit applications marked with the IMAGE_FILE_LARGE_ADDRESS_AWARE flag have 4 GB of address space available.

RbMm
  • 31,280
  • 3
  • 35
  • 56