Menu
What is the difference between NtCreateProcess and ZwCreateProcess? In ntdll.dll, both NtCreateProcess and ZwCreateProcess point to exactly the same address
310
In user-mode the groups of Nt and Zw APIs are identical. In kernel mode they are different. The Nt API contains the actual implementation. The Zw API uses a system-call mechanism and ensures that it is calling in kernel-mode and that there is no need to check the parameters if they contain user-mode addresses. Otherwise you could use the API from user-mode with kernel parameters which would not be good. So it is just a safety mechanism.
161
Aside from the already given answer (which I don't want to parrot), in my opinion the best answer can be found on OSR Online: here.
Alternatively you can read books on the Native API, such as the one from Gary Nebbett called "Windows NT/2000 Native API Reference", he devotes some space to this very question, or you can use WinDbg (pronounced as "wind-bag") yourself.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
