Mirage-Rs is a Rust-based reimplementation of the Mirage technique, leveraging Virtualization-Based Security (VBS) enclaves to stage, protect, and execute payloads across VTL boundaries.
This project demonstrates how sensitive data (such as shellcode) can be encrypted ("sealed") inside a VTL1 enclave and later decrypted ("unsealed") into VTL0 memory for execution, effectively bypassing traditional memory inspection and detection mechanisms.
Mirage-Rs abuses the trust boundary between Virtual Trust Levels (VTL0 and VTL1) by:
- Creating a VBS enclave
- Loading a vulnerable enclave image
- Initializing enclave communication
- Using enclave-provided functions to:
- Seal (encrypt) arbitrary data into VTL1
- Unseal (decrypt) data back into VTL0
- Executing the unsealed payload in RWX memory
- Cleaning up traces by overwriting memory
The core idea behind Mirage is leveraging VBS enclaves as a trusted encryption/decryption oracle:
- Seal operation: Moves data from VTL0 → VTL1 (encrypted blob)
- Unseal operation: Moves data from VTL1 → VTL0 (plaintext restored)
Because the enclave operates in VTL1, its memory is protected from inspection by standard user-mode and even many kernel-mode security solutions.
-
Enclave Creation
- Uses
CreateEnclavewithENCLAVE_TYPE_VBS
- Uses
-
Image Loading
- Loads a vulnerable enclave DLL (
prefs_enclave_x64.dll)
- Loads a vulnerable enclave DLL (
-
Initialization
- Calls the enclave's
Initroutine viaCallEnclave
- Calls the enclave's
-
Payload Staging
- Shellcode is sealed into enclave memory (VTL1)
-
Execution
- Payload is unsealed into RWX memory (VTL0)
- Execution is triggered via function pointer
-
Cleanup
- Memory is overwritten using a secondary sealed buffer