It's possible to address physical memory directly from NTVDM subsystem.
vulners.com/securityvulns/securityvulns:doc:9673