A Rust port of the original Mirage PoC memory evasion technique that relies on a vulnerable VBS enclave to hide shellcode within VTL1. This project was refactored from the original C++ implementation, primarily to serve as an educational resource for developers interested in Windows systems programming with Rust.
For additional information about the technique, please refer to the original blogpost: https://www.akamai.com/blog/security-research/2025-february-abusing-vbs-enclaves-evasive-malware
RustyMirage is a complete refactoring of the original C++ Mirage project into idiomatic Rust, while maintaining all functionality of the original implementation. This port demonstrates:
- How to use the Windows API from Rust using the
windowscrate - FFI techniques for interfacing with Windows enclaves
- Memory management and unsafe Rust for low-level operations
- Cross-platform testing strategies for Windows-specific code
The code performs the following steps:
- Loads a vulnerable version of the "prefs_enclave_x64.dll" enclave
- Calls the vulnerable "SealSettings" function to store shellcode and a "cleanup buffer" inside the enclave (VTL1)
- Allocates an empty RWX buffer in VTL0
- Calls the vulnerable "UnsealSettings" function to write the shellcode from the enclave into the VTL0 executable buffer
- Jumps to shellcode
- When the shellcode returns, calls the vulnerable "UnsealSettings" function to overwrite the VTL0 shellcode buffer with the cleanup buffer
- Sleeps for 5 seconds and repeats from step 4
This implementation is very simplistic and is only meant to demonstrate the concept - adjustments are certainly required to weaponize it.
Interestingly, RustyMirage was developed on macOS, despite being Windows-specific code. This was made possible through:
-
Cross-Platform Testing Strategy: The test suite was designed to run in simulation mode on non-Windows platforms, allowing for basic functionality verification during development.
-
Docker-Based Testing: We created a Windows container configuration that provides the necessary environment to test the full functionality, including:
- Windows Server Core container
- Hyper-V isolation for VBS support
- Visual Studio Build Tools and Rust toolchain
-
Test Automation: Test scripts (both
.batand.sh) that automate the build and test process, checking that:- Memory allocation works correctly
- Data movement between VTL1 and VTL0 functions as expected
- Cleanup procedures properly sanitize memory
To run the tests yourself, see the instructions in TEST.md.
To build RustyMirage, you'll need:
- Rust toolchain (rustup.rs)
- Windows target:
rustup target add x86_64-pc-windows-msvc
Run these commands:
cd RustyMirage
cargo build --release
The binary will be available at target/release/rusty_mirage.exe
RustyMirage exploits a vulnerability in VBS (Virtualization-Based Security) enclaves to store shellcode in VTL1 (Virtual Trust Level 1), which is typically more privileged and harder to inspect by security software.
The implementation:
- Uses Windows enclave APIs like
CreateEnclave,LoadEnclaveImageW,InitializeEnclave, andCallEnclave - Leverages FFI to interact with the vulnerable enclave functions
- Handles memory allocation and execution with proper unsafe Rust
- Implements a cleanup mechanism to avoid leaving detectable artifacts in memory
- Original Implementation: Mirage project by Akamai Technologies Inc.
- Original Author: Credit to the GitHub contributor who built the C++ version
- Vulnerability Discovery: Alex Gough of the Chrome Security Team for the POC exploit for CVE-2023-36880 (https://github.com/google/security-research/security/advisories/GHSA-wwr4-v5mr-3x9w)
MIT License
Copyright (c) 2025 RustyMirage Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.