Home

Awesome

TDL (Turla Driver Loader)

Driver loader for bypassing Windows x64 Driver Signature Enforcement

For more info see

System Requirements and limitations

You use it at your own risk. Some lazy AV may flag this loader as malware.

Differences between DSEFix and TDL

While both DSEFix and TDL uses advantage of driver exploit they completely different on way of it use.

How it work

It uses WinNT/Turla VirtualBox kernel mode exploit technique to write code to the kernel memory and after execute this code. TDL uses custom bootstrap shellcode to map your specially designed driver and call it entry point (DriverEntry), note that DriverEntry parameters will be invalid and must not be used. Examples of specially designed drivers available as DummyDrv and DummyDrv2. Your DriverEntry will run at IRQL PASSIVE_LEVEL up to Windows 10 RS1. Starting from Windows 10 RS2 your DriverEntry code runs on IRQL DISPATCH_LEVEL.

Build

TDL comes with full source code. In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above.

Instructions

Remove linker option /NOCOFFGRPINFO where it unsupported/unavailable.

Deprecation

TDL based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be compatible with newest Windows operation system versions and may work incorrectly. Because TDL entirely based on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider this repository as depricated/abandonware. The only possible updates can be related only to TDL loader itself.

Authors

(c) 2016 - 2019 TDL Project

Credits