Search notes:

ntdll.dll

ntdll.dll exports the native API (the syscall interface).

Native API functions start with Nt and/or Zw. In the ntdll.dll, NtXYZ() and ZwXYZ() are doing the same.

Applications usually don't directly call functions within this DLL directly, they are linked against one of the four WinAPI DLLs kernel32.dll, advapi32.dll, gdi32.dll and user32.dll.

The native API is also referred to as

native system services (Microsoft's documentation)
system calls

An application (or more typically these four special dlls) call these NtXYZ() and ZwXYZ() functions in ntdll.dll in user mode. ntdll.dll then forwards these calls to functions with the same name in ntoskrnl.exe which runs in kernel mode.

In ntoskrnl.exe, however, NtXYZ() and ZwXYZ() are different.

The native API is not entirely documented because Microsoft expects a developer to use the functionality of ntdll via the documented WinAPI.

Most of the exported symbols of this DLL start with Nt (such as NtCreateFile).

ntdll.dll provides most of the runtime environment for native applications that they need to

perform file I/O
interact with device drivers
perform interprocess communication
etc.

Geoff Chappell points out that

Many functions that NTDLL exports are simply re-exported as KERNEL32 or ADVAPI32 functions. Put another way, some KERNEL32 and ADVAPI32 functions have no code in those DLLs but instead appear in the export directory of those DLLs only as forwards to NTDLL. For many more NTDLL functions, there is some KERNEL32 or ADVAPI32 function whose code in those DLLs just repackages the NTDLL function, e.g., to change the arguments sligthly.

ntdll.dll

See also