1

I'm trying to load a signed DLL into a VBS enclave and LoadEnclaveImage is returning A device attached to the system is not functioning.

Hyper-V, Secure Boot, & TPM 2.0 are all functioning, so I'm not quite sure as to what the error is referring to.

Sample Code: 

if (IsEnclaveTypeSupported(ENCLAVE_TYPE_VBS))
{
    DWORD lpError = 0;
    ENCLAVE_CREATE_INFO_VBS vci = { 0 };
    vci.Flags = 1;

    PVOID enclave = CreateEnclave(GetCurrentProcess(),
        NULL,
        1024 * 1024 * 2,
        NULL,
        ENCLAVE_TYPE_VBS,
        &vci,
        sizeof(ENCLAVE_CREATE_INFO_VBS),
        &lpError);

    if (enclave != NULL)
    {
        auto lib = LoadLibrary(L"kernelbase.dll");
        auto addr = (__LoadEnclaveImage)GetProcAddress(lib, "LoadEnclaveImageW");

        if (addr(enclave, L"...\testme.dll"))
        {
            printf("Worked!\n");
        }
        else {
            printf("Failed to load image\n");
            printf(GetLastErrorAsString().c_str());
        }

    }
    else
    {
        printf(GetLastErrorAsString().c_str());
    }
}
else {
    printf("VBS not supported\n");
}
Killpot
  • 125
  • 1
  • 9

1 Answers1

1

I got the same general error when loading a signed DLL, so I looked for usages of LoadEnclaveImageW in other system binaries using Static Import Finder, and found it in SgrmBroker.exe where it loads "SgrmEnclave_secure.dll". Attempting to use LoadEnclaveImageW with that DLL was successful.

Digging deeper into the PE structure of the "SgrmEnclave_secure.dll" file, we can see that a value is defined for EnclaveConfigurationPointer in the IMAGE_LOAD_CONFIG_DIRECTORY64 structure (see screenshot from PE-bear).

This pointer points to an IMAGE_ENCLAVE_CONFIG64 structure and this screenshot shows what it looks like when parsed in Ghidra. The ImportList member is an RVA for a series of IMAGE_ENCLAVE_IMPORT structures.

So it looks like these structures need to be defined in the PE. This can be done using the /ENCLAVE option in the linker. Not sure if there are additional requirements. Should you get further with this, I'd be interested to know.

Jackson_T
  • 26
  • 2