I'm writing driver that need to patch an export table of ntfs.sys. And i have some problems with it. In most cases everething is going ok, but sometimes (in various OS) the module handle of ntfs.sys is HIGHER than my module address(so I can't write negative value here) , so I can't patch export table because of it contains offset calculated from the begining of the module (in this case — ntfs.sys), but my module is lower than that.
Any suggestion ?

www>I'm writing driver that need to patch an export table of ntfs.sys. And i have some problems with it. In most cases everething is going ok, but sometimes (in various OS) the module handle of ntfs.sys is HIGHER than my module address(so I can't write negative value here) , so I can't patch export table because of it contains offset calculated from the begining of the module (in this case — ntfs.sys), but my module is lower than that.
www>Any suggestion ?

Try find (or alloc) some "memory pool" in victim module and create function stubs (like jmp real_proc) and connect these stubs with victim export table. I hope owervriting VERSION_INFO resource in victim module is not too dangerous. Enjoy.