What is the difference between NtCreateProcess and ZwCreateProcess? In ntdll.dll, both NtCreateProcess and ZwCreateProcess point to exactly the same address
In user-mode the groups of Nt and Zw APIs are identical. In kernel mode they are different. The Nt API contains the actual implementation. The Zw API uses a system-call mechanism and ensures that it is calling in kernel-mode and that there is no need to check the parameters if they contain user-mode addresses. Otherwise you could use the API from user-mode with kernel parameters which would not be good. So it is just a safety mechanism.