Interesting article about how user-mode code can access kernel address space and setup a call gateway descriptor GDT without using a driver.

http://www.codeproject.com/system/soviet_kernel_hack.asp