What is the difference between NtCreateProcess and ZwCreateProcess?

对着背影说爱祢 提交于 2021-01-27 02:44:19

问题


What is the difference between NtCreateProcess and ZwCreateProcess? In ntdll.dll, both NtCreateProcess and ZwCreateProcess point to exactly the same address


回答1:


In user-mode the groups of Nt and Zw APIs are identical. In kernel mode they are different. The Nt API contains the actual implementation. The Zw API uses a system-call mechanism and ensures that it is calling in kernel-mode and that there is no need to check the parameters if they contain user-mode addresses. Otherwise you could use the API from user-mode with kernel parameters which would not be good. So it is just a safety mechanism.




回答2:


The in my opinion best answer can be found on OSR Online: here.

Alternatively you can read books on the Native API, such as the one from Gary Nebbett called "Windows NT/2000 Native API Reference", he devotes some space to this very question, or you can use WinDbg (pronounced as "wind-bag") yourself.



来源:https://stackoverflow.com/questions/4115558/what-is-the-difference-between-ntcreateprocess-and-zwcreateprocess

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!