{ "id": "14d1b376-e2b1-41d4-afdc-76eab3503500", "created_at": "2026-04-06T00:19:34.727826Z", "updated_at": "2026-04-10T03:33:35.83456Z", "deleted_at": null, "sha1_hash": "d7b7412db84ca8f3b161d4c197cf6a7ab3a25e95", "title": "GitHub - hfiref0x/TDL: Driver loader for bypassing Windows x64 Driver Signature Enforcement", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51184, "plain_text": "GitHub - hfiref0x/TDL: Driver loader for bypassing Windows x64\r\nDriver Signature Enforcement\r\nBy hfiref0x\r\nArchived: 2026-04-05 15:50:40 UTC\r\nDriver loader for bypassing Windows x64 Driver Signature Enforcement\r\nFor more info see\r\nDefeating x64 Driver Signature Enforcement http://www.kernelmode.info/forum/viewtopic.php?\r\nf=11\u0026t=3322\r\nWinNT/Turla http://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=3193\r\nSystem Requirements and limitations\r\nx64 Windows 7/8/8.1/10.\r\nTDL designed only for x64 Windows, Vista not listed as supported because it is obsolete.\r\nAdministrative privilege is required.\r\nLoaded drivers MUST BE specially designed to run as \"driverless\".\r\nNo SEH support for target drivers.\r\nNo driver unloading.\r\nOnly ntoskrnl import resolved, everything else is up to you.\r\nDummy driver examples provided.\r\nYou use it at your own risk. Some lazy AV may flag this loader as malware.\r\nDifferences between DSEFix and TDL\r\nWhile both DSEFix and TDL uses advantage of driver exploit they completely different on way of it use.\r\nDSEFix manipulate kernel variable called g_CiEnabled (Vista/7, ntoskrnl.exe) and/or g_CiOptions (8+.\r\nCI.DLL). Main advantage of DSEFix is it simplicity - you turn DSE off - load your driver (or patched one)\r\nand nothing else required. Main disadvantage of DSEFix is that on the modern version of Windows (8+)\r\ng_CiOptions variable is subject of PatchGuard (KPP) protection, which mean DSEFix is a potential\r\nBSOD-generator.\r\nTDL does not patch any kernel variables, which makes it friendly to PatchGuard. It uses small shellcode\r\nwhich maps your driver to kernel mode without involving Windows loader (and as result without triggering\r\nany parts of DSE) and executes it. This is main advantage of TDL - non invasive bypass of DSE. There are\r\nmany disadvantages however - the first and main -\u003e your driver MUST BE specially created to run as\r\n\"driverless\" which mean you will be unable to load any driver but only specially designed. Your driver will\r\nexist in kernel mode as executable code buffer, it won't be linked to PsLoadedModuleList, there will be\r\nhttps://github.com/hfiref0x/TDL\r\nPage 1 of 3\n\nother limitations. However this code will work at kernel mode and user mode application will be able\r\ncommunicate with it. You can load multiple drivers, of course if they are not conflict with each other.\r\nHow it work\r\nIt uses WinNT/Turla VirtualBox kernel mode exploit technique to write code to the kernel memory and after\r\nexecute this code. TDL uses custom bootstrap shellcode to map your specially designed driver and call it entry\r\npoint (DriverEntry), note that DriverEntry parameters will be invalid and must not be used. Examples of specially\r\ndesigned drivers available as DummyDrv and DummyDrv2. Your DriverEntry will run at IRQL\r\nPASSIVE_LEVEL up to Windows 10 RS1. Starting from Windows 10 RS2 your DriverEntry code runs on IRQL\r\nDISPATCH_LEVEL.\r\nBuild\r\nTDL comes with full source code. In order to build from source you need Microsoft Visual Studio 2015 U1 and\r\nlater versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above.\r\nInstructions\r\nSelect Platform ToolSet first for project in solution you want to build (Project-\u003eProperties-\u003eGeneral):\r\nv120 for Visual Studio 2013;\r\nv140 for Visual Studio 2015;\r\nv141 for Visual Studio 2017.\r\nFor v140 and above set Target Platform Version (Project-\u003eProperties-\u003eGeneral):\r\nIf v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);\r\nIf v141 then select 10.0.17763.0 (Note that Windows 10.0.17763 SDK must be installed).\r\nRemove linker option /NOCOFFGRPINFO where it unsupported/unavailable.\r\nDeprecation\r\nTDL based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be\r\ncompatible with newest Windows operation system versions and may work incorrectly. Because TDL entirely\r\nbased on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider\r\nthis repository as depricated/abandonware. The only possible updates can be related only to TDL loader itself.\r\nAuthors\r\n(c) 2016 - 2019 TDL Project\r\nCredits\r\nR136a1\r\nN. Rin\r\nhttps://github.com/hfiref0x/TDL\r\nPage 2 of 3\n\nSource: https://github.com/hfiref0x/TDL\r\nhttps://github.com/hfiref0x/TDL\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://github.com/hfiref0x/TDL" ], "report_names": [ "TDL" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434774, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7b7412db84ca8f3b161d4c197cf6a7ab3a25e95.pdf", "text": "https://archive.orkl.eu/d7b7412db84ca8f3b161d4c197cf6a7ab3a25e95.txt", "img": "https://archive.orkl.eu/d7b7412db84ca8f3b161d4c197cf6a7ab3a25e95.jpg" } }