Get the Whitepaper called GDT and LDT in Windows kernel vulnerability exploit. This paper discusses using 1 or 4 byte write-what-where conditions to convert a custom Data-Segment Descriptor entry in LDT of a process into a Call-Gate (with DPL set to 3 and RPL to 0).
You can download it from the following link: https://packetstormsecurity.com/files/download/85297/call_gate_exploitation.pdf
Source: https://packetstormsecurity.com/files/85297/GDT-And-LDT-In-Windows-Kernel-Vulnerability-Exploitation.html