Direct UserMode Kernel Object Management...
This Idea was gleaned from many sites and used in practice by me in a plugin for C.E. to obtain the SSDT address,

Im going to List Some of the Sites below for easy reference

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/att-0041/xploit_dbg.cpp

http://www.acm.uiuc.edu/projects/RingCycle/wiki/CallGates

http://www.cs.miami.edu/~burt/journal/NT/callgates.html

there's a actual testable sample here..
http://www.sleepersbrains.com/tutorials/saccopharynx/tutoriales.php#Ring0

much more to come on this line of thought, further down the road

regards BanMe

Another way to do this is to exploit csrss' use of the IOPL flags. The IOPL is almost like an add-on to the ring protection system, and a ring3 thread with an IOPL of 3(which csrss threads have) can directly access hardware using the in/out instructions. It's not quite the same thing as DUMKOM, but its similar enough to be relevant I think.

hmm another piece to the puzzle,a very interesting piece at that..
dont all non-kernel mode threads have a IOPL of 3? so where is that ability stripped from a 'user mode' thread? hmm

thanks darawk for that bit of precious info

regards BanMe