1) Load any process (i used notepad.exe)
2) Go to View | Executable Modules
3) Right-click on ntdll.dll, and select View Names
... why is NtOpenProcess not in the list? Actually I can only see ONE exported NtXxx function

Win32dasm had no problems seeing all NtXxx exported functions, so it seems to be a bug with OllyDbg?

Greetings!

Win32dasm had no problems seeing all NtXxx exported functions, so it seems to be a bug with OllyDbg?

Not necessarily.
For user mode processes, the two native API forms "NtXxx" and "ZwXxx" are equivalent and are just different symbols for the same entry point in ntdll.dll (it exports one routine with two names).

How does it work?
Well, the code executes the system service dispatcher instruction (int 2E) to enter kernel mode.
The kernel mode code that executes in response to this instruction records the previous mode of the process in ETHREAD structure of current thread before calling the function that implements the native system service.

Kernel mode code links against ntoskrnl.exe rather than ntdll.dll.
The two different forms of the system service name point to different entry points: the ZwXxx format entry point contains a copy of the code from ntdll.dll, which re-enters the kernel and uses the system service dispatcher and the NtXxx format entry point contains the actual implementation of the system service.

So it might be a "feature" of ollydbg regarding "NtXxx/ZwXxx" exports in user mode.
Though one might argue that "view names" list does not exactly resemble the exports table.

Regards,

A. Focht