Hi ultral!

You can get address of system call table:

void *system_call;
unsigned char *ptr;
int i, low, high;
asm volatile("rdmsr" : "=a" (low), "=d" (high) : "c" (IA32_LSTAR));

system_call = (void*)(((long)high<<32) | low);
for (ptr=system_call, i=0; i<500; i++, ptr++) {
	if (ptr[0] == 0xff && ptr[1] == 0x14 && ptr[2] == 0xc5)
		return (void*)(0xffffffff00000000 | *((unsigned int*)(ptr+3)));
return NULL;

and you can use that instead asm code for disable protect memory.
write_cr0 (read_cr0 () & (~ 0x10000));

I think it'd be cleaner.
Anyhow thanks so much for unconventional approach.
Only those users with full accounts are able to leave comments. Log in, please.