Whitepaper called GDT and LDT in Windows kernel vulnerability exploit. This paper discusses using 1 or 4 byte write-what-where conditions to convert a custom Data-Segment Descriptor entry in LDT of a process into a Call-Gate (with DPL set to 3 and RPL to 0).
5c8da344b3b6b9b298c6abf88c6abc9b8388ea7855997e8d22f4bdd058f0fb20