0

I read about memory enclaves, and I found it an interesting feature to hide some data, so, here I am.

I wasn't able to find anything on the API required, but the MSDN documentation has [no source code on usage], I know that I have to call the following:

  1. IsEnclaveTypeSupported : to make sure I can continue.

  2. CreateEnclave : to return the base address of the enclave created, although I struggled with this one too, but this question helped me.

  3. LoadEnclaveData : to add the data to our created enclave.

  4. InitializeEnclave : to activate the enclave.

  5. based on Windows Internal book (part 1), to execute I have to run the EENTER assembly instruction, which also I didn't find information on, but I think CallEnclave with the base address of the enclave can do the job.

Anyways, I'm stuck at step 3, my LoadEnclaveData is returning error code 87, which is ERROR_INVALID_PARAMETER.

I'm only copying NOPs (0x90) to the address, just to see it through the debugger that is running.

Here is the code:

LPVOID  lpAddress ;
ENCLAVE_CREATE_INFO_VBS VBS = { 0 };
VBS.Flags = 0;
HANDLE hProcess = GetCurrentProcess();
lpAddress = CreateEnclave(
    hProcess,
    NULL,
    2097152, 
    NULL,
    ENCLAVE_TYPE_VBS,
    &VBS, 
    sizeof(ENCLAVE_CREATE_INFO_VBS),
    NULL
);
printf("[-] GetLastError : %d \n", GetLastError());
printf("[+] %-20s : 0x%-016p\n", "lpAddress addr", (void*) lpAddress);
unsigned char buffer[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 , 0x90 , 0x90 };
LoadEnclaveData(
    hProcess,
    lpAddress,
    &buffer,
    sizeof(buffer),
    PAGE_READWRITE,
    NULL,
    0,
    0,
    0
);
printf("[-] GetLastError : %d \n", GetLastError());

Based on MSDN's LoadEnclaveData documentation, they didn't specify what to do with lpPageInformation, so I think it is the problem, but they said The lpPageInformation parameter is not used. So I recheck a couple of parameters, and I found out that nSize must be a whole-number multiple of the page size. So I got confused, what to do now?

In case anyone is sure about executing a buffer in an enclave, please let me know.

And BTW, the thing in choosing the title is killing me, [I wasted more time on that than writing this].

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
muhammad Ali
  • 11
  • 2
  • “nSize must be a whole-number multiple of the page size.” To determine the page size of the computer, I suggest you could try to use the [GetSystemInfo function](https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsysteminfo). – Jeaninez - MSFT Nov 09 '21 at 09:27
  • @jeaninez-msfti did that as following: SYSTEM_INFO stInfo; GetNativeSystemInfo(&stInfo); DWORD nSize = (stInfo.dwPageSize ) ; and i just made the nSize parameter in the function as the size of pageSize, i had ERROR_BAD_LENGTH error as so as the multiple of the page size number, and as they said in bytes and a whole number, idk what is the real length behind it so what is the wrong thing i did !! – muhammad Ali Nov 11 '21 at 08:06
  • I have same problem. Did you figure it out? – 7eRoM Feb 11 '22 at 06:35

0 Answers0