Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of 32-bit Windows 10 tells that the kernel is built with the PEBTEB.H header at
and draws from it the following type definitions:
The header PEBTEB.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
The unusual definition of multiple structures at the same line can be explained, at least partially, by multiple inclusion designed to produce slightly different definitions depending on prior definition of macros that govern conditional compilation. This is confirmed by the disclosure of WOW64T.H in the “minwin” directory of the Windows Driver Kit (WDK) for Windows 10 in the original and Version 1511 editions. Among the reasons for suspecting that this directory’s disclosure was an oversight is that more than a few of its headers would include others that are not supplied. WOW64T.H is one example in that it would include the unsupplied PEBTEB.H, but specially notable is that WOW64T.H would include PEBTEB.H twice: once with a macro PEBTEB_BITS defined as 32; next with it redefined as 64.
What differs between the _TEB structure and its conditionally compiled _TEB32 and _TEB64 variants is that the latter two have all the former’s pointers changed to ULONG and ULONGLONG, respectively. The public symbol files for the 64-bit kernel confirm that the transformation also applies to the _PEB structure, to define _PEB32 and _PEB64. It is not presently understood why the public symbol files for the 32-bit kernel have any of the 32-bit and 64-bit variants.