This is a very interesting vulnerability i'd like to talk about, we can exploit it from ring3 calling syscall from a non canonical address, but what i do not understand is what really happens when #GP(0) is executed, how can we control execution flow? I haven't seen any much information in intel manuals :?
well that would be INT 0Dh. general protection violations are handled as faults.
in so many words then: KiUserExceptionDispatcher would then invoke your exception handlers (if any).
