Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of 32-bit Windows 10 tells that the kernel is built with the PEBTEB.H header at
and draws from it the following type definitions:
The header PEBTEB.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
The unusual definition of multiple structures at the same line can be explained, at least partially, by multiple inclusion designed to produce slightly different definitions depending on prior definition of macros that govern conditional compilation. This is confirmed by the disclosure of WOW64T.H in the “minwin” directory of the Windows Driver Kit (WDK) for Windows 10 in the original and Version 1511 editions. Among the reasons for suspecting that this directory’s disclosure was an oversight is that more than a few of its headers would include others that are not supplied. WOW64T.H is one example in that it would include the unsupplied PEBTEB.H, but specially notable is that WOW64T.H would include PEBTEB.H twice: once with a macro PEBTEB_BITS defined as 32, presumably so that the included header’s definition of _TEB instead defines _TEB32; next with it redefined as 64.
What differs between the _TEB structure and its conditionally compiled _TEB32 and _TEB64 variants is that the last two have all the first’s pointers changed to ULONG and ULONGLONG, respectively. The public symbol files for the 64-bit kernel confirm that a similar transformation also applies to the _PEB structure, to define _PEB32 and _PEB64. It is not presently understood why the public symbol files for the 32-bit kernel have any of the 32-bit and 64-bit variants, let alone why they have them for the _TEB but not the _PEB.
For completeness, symbol files that Microsoft has published for modules other than the kernel reveal two more types as defined in PEBTEB.H. These are the structures _TEB_ACTIVE_FRAME_CONTEXT_EX and _TEB_ACTIVE_FRAME_EX at lines 378 and 395, respectively.